From caf7ff9935ce26fa3aba404d9003b8fbcfeb391b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 17 Sep 2018 17:54:26 +0200
Subject: [PATCH 40/47] pam_sss: add try_cert_auth option
With this new option pam_sss can be configured to only do Smartcard
authentication or return an error if this is not possible.
Related to https://pagure.io/SSSD/sssd/issue/3650
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d3a18f06162b9585d2db936472b75fdbff37162d)
---
src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++
src/sss_client/pam_sss.c | 9 +++++++++
src/sss_client/sss_cli.h | 1 +
3 files changed, 33 insertions(+)
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index d8e6a2041a17814b0ad506170645a5983cc05704..ca2e8e20678d102525a9252678dd83459c3338ac 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -50,6 +50,9 @@
<arg choice='opt'>
<replaceable>prompt_always</replaceable>
</arg>
+ <arg choice='opt'>
+ <replaceable>try_cert_auth</replaceable>
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>try_cert_auth</option>
+ </term>
+ <listitem>
+ <para>
+ Try to use certificate based authentication, i.e.
+ authentication with a Smartcard or similar devices. If a
+ Smartcard is available and the service is allowed for
+ Smartcard authentication the use will be prompted for a
+ PIN and the certificate based authentication will
+ continue
+ </para>
+ <para>
+ If no Smartcard is available or certificate based
+ authentication is not allowed for the current service
+ PAM_AUTHINFO_UNAVAIL is returned.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b336d1f6197b09c062dd4ece836e088e52fe7393..96ff15adad867aceae17431cd5256ae52e4b9306 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
} else if (strcmp(*argv, "prompt_always") == 0) {
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
+ } else if (strcmp(*argv, "try_cert_auth") == 0) {
+ *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
}
}
+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
+ && pi.cert_list == NULL) {
+ D(("No certificates for authentication available."));
+ overwrite_and_free_pam_items(&pi);
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+
if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
ret = check_login_token_name(pamh, &pi, quiet_mode);
if (ret != PAM_SUCCESS) {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 3404715d811332e9013f3f88cb733c62147fb502..38e3f999d799556a56ac08f0f3a6b538b8cde9f3 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -373,6 +373,7 @@ enum pam_item_type {
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
--
2.14.4