|
 |
5fca41 |
From 0a637fff4fe575916bdae0eb17b7c36e8427308a Mon Sep 17 00:00:00 2001
|
|
|
5fca41 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
5fca41 |
Date: Wed, 17 Apr 2019 15:07:43 +0200
|
|
|
5fca41 |
Subject: [PATCH] PAM: Also cache SSS_PAM_PREAUTH
|
|
|
5fca41 |
|
|
|
5fca41 |
Related: https://pagure.io/SSSD/sssd/issue/3960
|
|
|
5fca41 |
|
|
|
5fca41 |
Even if cached_auth_timeout was set, the pam responder would still
|
|
|
5fca41 |
forward the preauthentication requests to the back end. This could
|
|
|
5fca41 |
trigger unwanted traffic towards the KDCs.
|
|
|
5fca41 |
|
|
|
5fca41 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
5fca41 |
(cherry picked from commit c911562d1bea8ae44e45e564c9df5df43d87b035)
|
|
|
5fca41 |
---
|
|
|
5fca41 |
src/man/sssd.conf.5.xml | 4 +++-
|
|
|
5fca41 |
src/responder/pam/pamsrv_cmd.c | 40 +++++++++++++++-------------------
|
|
|
5fca41 |
2 files changed, 21 insertions(+), 23 deletions(-)
|
|
|
5fca41 |
|
|
|
5fca41 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
5fca41 |
index 274809e24..1ab7af00b 100644
|
|
|
5fca41 |
--- a/src/man/sssd.conf.5.xml
|
|
|
5fca41 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
5fca41 |
@@ -2960,7 +2960,9 @@ subdomain_inherit = ldap_purge_cache_timeout
|
|
|
5fca41 |
Specifies time in seconds since last successful
|
|
|
5fca41 |
online authentication for which user will be
|
|
|
5fca41 |
authenticated using cached credentials while
|
|
|
5fca41 |
- SSSD is in the online mode.
|
|
|
5fca41 |
+ SSSD is in the online mode. If the credentials
|
|
|
5fca41 |
+ are incorrect, SSSD falls back to online
|
|
|
5fca41 |
+ authentication.
|
|
|
5fca41 |
</para>
|
|
|
5fca41 |
<para>
|
|
|
5fca41 |
This option's value is inherited by all trusted
|
|
|
5fca41 |
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
|
5fca41 |
index 6b2dc5bdc..00302be75 100644
|
|
|
5fca41 |
--- a/src/responder/pam/pamsrv_cmd.c
|
|
|
5fca41 |
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
|
5fca41 |
@@ -803,8 +803,9 @@ static void pam_reply(struct pam_auth_req *preq)
|
|
|
5fca41 |
pam_verbosity = DEFAULT_PAM_VERBOSITY;
|
|
|
5fca41 |
}
|
|
|
5fca41 |
|
|
|
5fca41 |
- DEBUG(SSSDBG_FUNC_DATA,
|
|
|
5fca41 |
- "pam_reply called with result [%d]: %s.\n",
|
|
|
5fca41 |
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
|
5fca41 |
+ "pam_reply initially called with result [%d]: %s. "
|
|
|
5fca41 |
+ "this result might be changed during processing\n",
|
|
|
5fca41 |
pd->pam_status, pam_strerror(NULL, pd->pam_status));
|
|
|
5fca41 |
|
|
|
5fca41 |
if (pd->cmd == SSS_PAM_AUTHENTICATE
|
|
|
5fca41 |
@@ -886,6 +887,7 @@ static void pam_reply(struct pam_auth_req *preq)
|
|
|
5fca41 |
break;
|
|
|
5fca41 |
/* TODO: we need the pam session cookie here to make sure that cached
|
|
|
5fca41 |
* authentication was successful */
|
|
|
5fca41 |
+ case SSS_PAM_PREAUTH:
|
|
|
5fca41 |
case SSS_PAM_SETCRED:
|
|
|
5fca41 |
case SSS_PAM_ACCT_MGMT:
|
|
|
5fca41 |
case SSS_PAM_OPEN_SESSION:
|
|
|
5fca41 |
@@ -1067,6 +1069,8 @@ static void pam_reply(struct pam_auth_req *preq)
|
|
|
5fca41 |
}
|
|
|
5fca41 |
|
|
|
5fca41 |
done:
|
|
|
5fca41 |
+ DEBUG(SSSDBG_FUNC_DATA, "Returning [%d]: %s to the client\n",
|
|
|
5fca41 |
+ pd->pam_status, pam_strerror(NULL, pd->pam_status));
|
|
|
5fca41 |
sss_cmd_done(cctx, preq);
|
|
|
5fca41 |
}
|
|
|
5fca41 |
|
|
|
5fca41 |
@@ -1949,21 +1953,6 @@ done:
|
|
|
5fca41 |
return ret;
|
|
|
5fca41 |
}
|
|
|
5fca41 |
|
|
|
5fca41 |
-static bool pam_is_cmd_cachable(int cmd)
|
|
|
5fca41 |
-{
|
|
|
5fca41 |
- bool is_cachable;
|
|
|
5fca41 |
-
|
|
|
5fca41 |
- switch(cmd) {
|
|
|
5fca41 |
- case SSS_PAM_AUTHENTICATE:
|
|
|
5fca41 |
- is_cachable = true;
|
|
|
5fca41 |
- break;
|
|
|
5fca41 |
- default:
|
|
|
5fca41 |
- is_cachable = false;
|
|
|
5fca41 |
- }
|
|
|
5fca41 |
-
|
|
|
5fca41 |
- return is_cachable;
|
|
|
5fca41 |
-}
|
|
|
5fca41 |
-
|
|
|
5fca41 |
static bool pam_is_authtok_cachable(struct sss_auth_token *authtok)
|
|
|
5fca41 |
{
|
|
|
5fca41 |
enum sss_authtok_type type;
|
|
|
5fca41 |
@@ -1988,11 +1977,18 @@ static bool pam_can_user_cache_auth(struct sss_domain_info *domain,
|
|
|
5fca41 |
errno_t ret;
|
|
|
5fca41 |
bool result = false;
|
|
|
5fca41 |
|
|
|
5fca41 |
- if (!cached_auth_failed /* don't try cached auth again */
|
|
|
5fca41 |
- && domain->cache_credentials
|
|
|
5fca41 |
- && domain->cached_auth_timeout > 0
|
|
|
5fca41 |
- && pam_is_authtok_cachable(authtok)
|
|
|
5fca41 |
- && pam_is_cmd_cachable(pam_cmd)) {
|
|
|
5fca41 |
+ if (cached_auth_failed) {
|
|
|
5fca41 |
+ /* Do not retry indefinitely */
|
|
|
5fca41 |
+ return false;
|
|
|
5fca41 |
+ }
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ if (!domain->cache_credentials || domain->cached_auth_timeout <= 0) {
|
|
|
5fca41 |
+ return false;
|
|
|
5fca41 |
+ }
|
|
|
5fca41 |
+
|
|
|
5fca41 |
+ if (pam_cmd == SSS_PAM_PREAUTH
|
|
|
5fca41 |
+ || (pam_cmd == SSS_PAM_AUTHENTICATE
|
|
|
5fca41 |
+ && pam_is_authtok_cachable(authtok))) {
|
|
|
5fca41 |
|
|
|
5fca41 |
ret = pam_is_last_online_login_fresh(domain, user,
|
|
|
5fca41 |
domain->cached_auth_timeout,
|
|
|
5fca41 |
--
|
|
|
5fca41 |
2.19.2
|
|
|
5fca41 |
|