From 8948c89c132d31c8cffd55d60e46a506eb00bbd2 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 7 Sep 2018 22:16:50 +0200 Subject: [PATCH 15/19] PAM: use better PAM error code for failed Smartcard authentication If the user enters a wrong PIN the PAM responder currently returns PAM_USER_UNKNOWN better is PAM_AUTH_ERR. Related to https://pagure.io/SSSD/sssd/issue/3500 Reviewed-by: Jakub Hrozek (cherry picked from commit 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4) --- src/responder/pam/pamsrv_cmd.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index ed9ad57bd6d8c4eda30d8e18f83aeea96474551f..817f3c5134ba4c7358ffb4fbf3c6008fa23ffe0e 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req) if (pd->cmd == SSS_PAM_AUTHENTICATE) { DEBUG(SSSDBG_CRIT_FAILURE, "No certificate returned, authentication failed.\n"); - ret = ENOENT; + preq->pd->pam_status = PAM_AUTH_ERR; + pam_reply(preq); + return; } else { ret = pam_check_user_search(preq); } -- 2.14.4