|
 |
71e593 |
From 7e7252616137378731af75a8482d4a4cade33dbd Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Tue, 9 Oct 2018 10:47:04 +0200
|
|
|
71e593 |
Subject: [PATCH 45/47] PAM: add p11_uri option
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3814
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit 725b65081d19da658b16338686c53dcf16d49de0)
|
|
|
71e593 |
---
|
|
|
71e593 |
src/confdb/confdb.h | 1 +
|
|
|
71e593 |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
71e593 |
src/config/cfg_rules.ini | 1 +
|
|
|
71e593 |
src/config/etc/sssd.api.conf | 1 +
|
|
|
71e593 |
src/man/sssd.conf.5.xml | 33 +++++++++++++++++++++++++++++++++
|
|
|
71e593 |
src/responder/pam/pamsrv.h | 1 +
|
|
|
71e593 |
src/responder/pam/pamsrv_cmd.c | 12 +++++++++++-
|
|
|
71e593 |
src/responder/pam/pamsrv_p11.c | 9 ++++++++-
|
|
|
71e593 |
8 files changed, 57 insertions(+), 2 deletions(-)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
71e593 |
index 87904c2146b33b57106ac3799c5a67ee02387e9b..741d4bc47dc77fe23e2ff0bc683354909f61d88f 100644
|
|
|
71e593 |
--- a/src/confdb/confdb.h
|
|
|
71e593 |
+++ b/src/confdb/confdb.h
|
|
|
71e593 |
@@ -133,6 +133,7 @@
|
|
|
71e593 |
#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
|
|
|
71e593 |
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
|
|
71e593 |
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
|
|
71e593 |
+#define CONFDB_PAM_P11_URI "p11_uri"
|
|
|
71e593 |
|
|
|
71e593 |
/* SUDO */
|
|
|
71e593 |
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
|
|
71e593 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
71e593 |
index 4d1dba2d22eae4716fbabe3a3957952f7cd17751..a20157c719765a847a872fe134afe5e0415296db 100644
|
|
|
71e593 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
71e593 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
71e593 |
@@ -105,6 +105,7 @@ option_strings = {
|
|
|
71e593 |
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
|
|
71e593 |
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
|
|
71e593 |
'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
|
|
|
71e593 |
+ 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
|
|
|
71e593 |
|
|
|
71e593 |
# [sudo]
|
|
|
71e593 |
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
|
71e593 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
71e593 |
index 717ccfa3f382b92800bf00ed79f68641a5a83d5c..85366d25dfe508c0faf92d7d0891e287eb66dbe0 100644
|
|
|
71e593 |
--- a/src/config/cfg_rules.ini
|
|
|
71e593 |
+++ b/src/config/cfg_rules.ini
|
|
|
71e593 |
@@ -128,6 +128,7 @@ option = p11_child_timeout
|
|
|
71e593 |
option = pam_app_services
|
|
|
71e593 |
option = pam_p11_allowed_services
|
|
|
71e593 |
option = p11_wait_for_card_timeout
|
|
|
71e593 |
+option = p11_uri
|
|
|
71e593 |
|
|
|
71e593 |
[rule/allowed_sudo_options]
|
|
|
71e593 |
validator = ini_allowed_options
|
|
|
71e593 |
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
|
71e593 |
index bb686c34480be27d0829b57a853fa05921730630..c6d6690fb44cafb19b0a01b286812c74cdb2fc71 100644
|
|
|
71e593 |
--- a/src/config/etc/sssd.api.conf
|
|
|
71e593 |
+++ b/src/config/etc/sssd.api.conf
|
|
|
71e593 |
@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
|
|
|
71e593 |
pam_app_services = str, None, false
|
|
|
71e593 |
pam_p11_allowed_services = str, None, false
|
|
|
71e593 |
p11_wait_for_card_timeout = int, None, false
|
|
|
71e593 |
+p11_uri = str, None, false
|
|
|
71e593 |
|
|
|
71e593 |
[sudo]
|
|
|
71e593 |
# sudo service
|
|
|
71e593 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
71e593 |
index 4df0163311fb3845e6a027be7d0b500cb5d2f0b6..c8d53f01f3eedea1e37f6593d02ce1eeaf11d2de 100644
|
|
|
71e593 |
--- a/src/man/sssd.conf.5.xml
|
|
|
71e593 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
71e593 |
@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
|
71e593 |
</para>
|
|
|
71e593 |
</listitem>
|
|
|
71e593 |
</varlistentry>
|
|
|
71e593 |
+ <varlistentry>
|
|
|
71e593 |
+ <term>p11_uri (string)</term>
|
|
|
71e593 |
+ <listitem>
|
|
|
71e593 |
+ <para>
|
|
|
71e593 |
+ PKCS#11 URI (see RFC-7512 for details) which can be
|
|
|
71e593 |
+ used to restrict the selection of devices used for
|
|
|
71e593 |
+ Smartcard authentication. By default SSSD's
|
|
|
71e593 |
+ p11_child will search for a PKCS#11 slot (reader)
|
|
|
71e593 |
+ where the 'removable' flags is set and read the
|
|
|
71e593 |
+ certificates from the inserted token from the first
|
|
|
71e593 |
+ slot found. If multiple readers are connected
|
|
|
71e593 |
+ p11_uri can be use to tell p11_child to use a
|
|
|
71e593 |
+ specific reader.
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
+ <para>
|
|
|
71e593 |
+ Example:
|
|
|
71e593 |
+ <programlisting>
|
|
|
71e593 |
+p11_uri = slot-description=My%20Smartcar%20Reader
|
|
|
71e593 |
+ </programlisting>
|
|
|
71e593 |
+ or
|
|
|
71e593 |
+ <programlisting>
|
|
|
71e593 |
+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
|
|
|
71e593 |
+ </programlisting>
|
|
|
71e593 |
+ To find suitable URI please check the debug output
|
|
|
71e593 |
+ of p11_child. As an alternative the GnuTLS utility
|
|
|
71e593 |
+ 'p11tool' with e.g. the '--list-all' will show
|
|
|
71e593 |
+ PKCS#11 URIs as well.
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
+ <para>
|
|
|
71e593 |
+ Default: none
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
+ </listitem>
|
|
|
71e593 |
+ </varlistentry>
|
|
|
71e593 |
</variablelist>
|
|
|
71e593 |
</refsect2>
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
|
71e593 |
index 5d877566fc7bacced4f6385f1eae344a9e6d8bd4..60aa97967456b9b7ab35e64f103c1c9a17bef3a9 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv.h
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv.h
|
|
|
71e593 |
@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
time_t timeout,
|
|
|
71e593 |
const char *verify_opts,
|
|
|
71e593 |
struct sss_certmap_ctx *sss_certmap_ctx,
|
|
|
71e593 |
+ const char *uri,
|
|
|
71e593 |
struct pam_data *pd);
|
|
|
71e593 |
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
struct cert_auth_info **cert_list);
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
index 6e37f831602e4c367176cc14126dbbec72c858cd..a22afd225894872847a0fb13e202f927fd2ae124 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
|
71e593 |
char *cert_verification_opts;
|
|
|
71e593 |
errno_t ret;
|
|
|
71e593 |
struct tevent_req *req;
|
|
|
71e593 |
+ char *uri = NULL;
|
|
|
71e593 |
|
|
|
71e593 |
ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
|
|
71e593 |
CONFDB_PAM_P11_CHILD_TIMEOUT,
|
|
|
71e593 |
@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
|
71e593 |
return ret;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
|
|
|
71e593 |
+ CONFDB_PAM_P11_URI, NULL, &uri);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
|
|
|
71e593 |
+ ret, sss_strerror(ret));
|
|
|
71e593 |
+ return ret;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
|
|
|
71e593 |
pctx->nss_db, p11_child_timeout,
|
|
|
71e593 |
cert_verification_opts, pctx->sss_certmap_ctx,
|
|
|
71e593 |
- pd);
|
|
|
71e593 |
+ uri, pd);
|
|
|
71e593 |
if (req == NULL) {
|
|
|
71e593 |
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
|
|
|
71e593 |
return ENOMEM;
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
|
71e593 |
index 8b8859d9d335aec6d310201256522fa8afdd3694..491bd2b01d7bf9137b37c35f9da9eca1eed95a6d 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv_p11.c
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv_p11.c
|
|
|
71e593 |
@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
time_t timeout,
|
|
|
71e593 |
const char *verify_opts,
|
|
|
71e593 |
struct sss_certmap_ctx *sss_certmap_ctx,
|
|
|
71e593 |
+ const char *uri,
|
|
|
71e593 |
struct pam_data *pd)
|
|
|
71e593 |
{
|
|
|
71e593 |
errno_t ret;
|
|
|
71e593 |
@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
struct timeval tv;
|
|
|
71e593 |
int pipefd_to_child[2] = PIPE_INIT;
|
|
|
71e593 |
int pipefd_from_child[2] = PIPE_INIT;
|
|
|
71e593 |
- const char *extra_args[14] = { NULL };
|
|
|
71e593 |
+ const char *extra_args[16] = { NULL };
|
|
|
71e593 |
uint8_t *write_buf = NULL;
|
|
|
71e593 |
size_t write_buf_len = 0;
|
|
|
71e593 |
size_t arg_c;
|
|
|
71e593 |
@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
|
|
|
71e593 |
/* extra_args are added in revers order */
|
|
|
71e593 |
arg_c = 0;
|
|
|
71e593 |
+ if (uri != NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
|
|
|
71e593 |
+ extra_args[arg_c++] = uri;
|
|
|
71e593 |
+ extra_args[arg_c++] = "--uri";
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
|
|
71e593 |
extra_args[arg_c++] = "--wait_for_card";
|
|
|
71e593 |
}
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|