|
|
d6181b |
From 5574de0f87e72d85547add9a48f9ac0def27f47d Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Sumit Bose <sbose@redhat.com>
|
|
|
d6181b |
Date: Fri, 2 Aug 2019 13:43:49 +0200
|
|
|
d6181b |
Subject: [PATCH] pam: fix loop in Smartcard authentication
|
|
|
d6181b |
|
|
|
d6181b |
If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
|
|
|
d6181b |
PIN is entered the PAM responder might end in an endless loop. This
|
|
|
d6181b |
patch uses a flag to avoid the loop and makes sure that during
|
|
|
d6181b |
authentication the error code causing the loop is not returned.
|
|
|
d6181b |
|
|
|
d6181b |
Related to https://pagure.io/SSSD/sssd/issue/4051
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/responder/pam/pamsrv_cmd.c | 4 +++-
|
|
|
d6181b |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
|
d6181b |
index 89bdb78a1..72412204b 100644
|
|
|
d6181b |
--- a/src/responder/pam/pamsrv_cmd.c
|
|
|
d6181b |
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
|
d6181b |
@@ -814,6 +814,7 @@ static void pam_reply(struct pam_auth_req *preq)
|
|
|
d6181b |
pd->pam_status, pam_strerror(NULL, pd->pam_status));
|
|
|
d6181b |
|
|
|
d6181b |
if (pd->cmd == SSS_PAM_AUTHENTICATE
|
|
|
d6181b |
+ && !preq->cert_auth_local
|
|
|
d6181b |
&& (pd->pam_status == PAM_AUTHINFO_UNAVAIL
|
|
|
d6181b |
|| pd->pam_status == PAM_NO_MODULE_DATA
|
|
|
d6181b |
|| pd->pam_status == PAM_BAD_ITEM)
|
|
|
d6181b |
@@ -1475,7 +1476,8 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
|
|
d6181b |
"No certificate found and no logon name given, " \
|
|
|
d6181b |
"authentication not possible.\n");
|
|
|
d6181b |
ret = ENOENT;
|
|
|
d6181b |
- } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
|
|
|
d6181b |
+ } else if (pd->cmd == SSS_PAM_PREAUTH
|
|
|
d6181b |
+ && (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH)) {
|
|
|
d6181b |
DEBUG(SSSDBG_TRACE_ALL,
|
|
|
d6181b |
"try_cert_auth flag set but no certificate available, "
|
|
|
d6181b |
"request finished.\n");
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|