|
 |
6cf099 |
From 8ffbe4698421aaafa59f0813232883c4fc41514d Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
6cf099 |
Date: Thu, 23 Jul 2015 15:56:44 +0200
|
|
|
6cf099 |
Subject: [PATCH 29/37] krb5: do not send SSS_OTP if two factors were used
|
|
|
6cf099 |
|
|
|
6cf099 |
Resolves https://fedorahosted.org/sssd/ticket/2729
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/providers/krb5/krb5_auth.c | 7 ++++++-
|
|
|
6cf099 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
|
6cf099 |
index 8886456c00c86914da364fd08efc25a488b0e686..d1bf4025b052d82413d1f370a36b0b99720d6f05 100644
|
|
|
6cf099 |
--- a/src/providers/krb5/krb5_auth.c
|
|
|
6cf099 |
+++ b/src/providers/krb5/krb5_auth.c
|
|
|
6cf099 |
@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
|
|
6cf099 |
krb5_auth_store_creds(state->domain, pd);
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
- if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
|
6cf099 |
+ /* The SSS_OTP message will prevent pam_sss from putting the entered
|
|
|
6cf099 |
+ * password on the PAM stack for other modules to use. This is not needed
|
|
|
6cf099 |
+ * when both factors were entered separately because here the first factor
|
|
|
6cf099 |
+ * (long term password) can be passed to the other modules. */
|
|
|
6cf099 |
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
|
|
|
6cf099 |
+ && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
|
|
|
6cf099 |
uint32_t otp_flag = 1;
|
|
|
6cf099 |
ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
|
|
|
6cf099 |
(const uint8_t *) &otp_flag);
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|