rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0040-pam_sss-add-try_cert_auth-option.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   71e59364bf4bf30ca1631dcafcbe696959a37827
  2.   SOURCES
  3.   0040-pam_sss-add-try_cert_auth-option.patch
Blob History Raw
71e593 
From caf7ff9935ce26fa3aba404d9003b8fbcfeb391b Mon Sep 17 00:00:00 2001
71e593 
From: Sumit Bose <sbose@redhat.com>
71e593 
Date: Mon, 17 Sep 2018 17:54:26 +0200
71e593 
Subject: [PATCH 40/47] pam_sss: add try_cert_auth option
71e593
71e593 
With this new option pam_sss can be configured to only do Smartcard
71e593 
authentication or return an error if this is not possible.
71e593
71e593 
Related to https://pagure.io/SSSD/sssd/issue/3650
71e593
71e593 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
71e593 
(cherry picked from commit d3a18f06162b9585d2db936472b75fdbff37162d)
71e593 
---
71e593 
 src/man/pam_sss.8.xml    | 23 +++++++++++++++++++++++
71e593 
 src/sss_client/pam_sss.c |  9 +++++++++
71e593 
 src/sss_client/sss_cli.h |  1 +
71e593 
 3 files changed, 33 insertions(+)
71e593
71e593 
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
71e593 
index d8e6a2041a17814b0ad506170645a5983cc05704..ca2e8e20678d102525a9252678dd83459c3338ac 100644
71e593 
--- a/src/man/pam_sss.8.xml
71e593 
+++ b/src/man/pam_sss.8.xml
71e593 
@@ -50,6 +50,9 @@
71e593 
             <arg choice='opt'>
71e593 
                 <replaceable>prompt_always</replaceable>
71e593 
             </arg>
71e593 
+            <arg choice='opt'>
71e593 
+                <replaceable>try_cert_auth</replaceable>
71e593 
+            </arg>
71e593 
         </cmdsynopsis>
71e593 
     </refsynopsisdiv>
71e593
71e593 
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
71e593 
                     </para>
71e593 
                 </listitem>
71e593 
             </varlistentry>
71e593 
+            <varlistentry>
71e593 
+                <term>
71e593 
+                    <option>try_cert_auth</option>
71e593 
+                </term>
71e593 
+                <listitem>
71e593 
+                    <para>
71e593 
+                        Try to use certificate based authentication, i.e.
71e593 
+                        authentication with a Smartcard or similar devices. If a
71e593 
+                        Smartcard is available and the service is allowed for
71e593 
+                        Smartcard authentication the use will be prompted for a
71e593 
+                        PIN and the certificate based authentication will
71e593 
+                        continue
71e593 
+                    </para>
71e593 
+                    <para>
71e593 
+                        If no Smartcard is available or certificate based
71e593 
+                        authentication is not allowed for the current service
71e593 
+                        PAM_AUTHINFO_UNAVAIL is returned.
71e593 
+                    </para>
71e593 
+                </listitem>
71e593 
+            </varlistentry>
71e593 
         </variablelist>
71e593 
     </refsect1>
71e593
71e593 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
71e593 
index b336d1f6197b09c062dd4ece836e088e52fe7393..96ff15adad867aceae17431cd5256ae52e4b9306 100644
71e593 
--- a/src/sss_client/pam_sss.c
71e593 
+++ b/src/sss_client/pam_sss.c
71e593 
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
71e593 
             *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
71e593 
         } else if (strcmp(*argv, "prompt_always") == 0) {
71e593 
             *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
71e593 
+        } else if (strcmp(*argv, "try_cert_auth") == 0) {
71e593 
+            *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
71e593 
         } else {
71e593 
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
71e593 
         }
71e593 
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
71e593 
                     }
71e593 
                 }
71e593
71e593 
+                if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
71e593 
+                        && pi.cert_list == NULL) {
71e593 
+                    D(("No certificates for authentication available."));
71e593 
+                    overwrite_and_free_pam_items(&pi);
71e593 
+                    return PAM_AUTHINFO_UNAVAIL;
71e593 
+                }
71e593 
+
71e593 
                 if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
71e593 
                     ret = check_login_token_name(pamh, &pi, quiet_mode);
71e593 
                     if (ret != PAM_SUCCESS) {
71e593 
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
71e593 
index 3404715d811332e9013f3f88cb733c62147fb502..38e3f999d799556a56ac08f0f3a6b538b8cde9f3 100644
71e593 
--- a/src/sss_client/sss_cli.h
71e593 
+++ b/src/sss_client/sss_cli.h
71e593 
@@ -373,6 +373,7 @@ enum pam_item_type {
71e593 
 #define PAM_CLI_FLAGS_USE_2FA (1 << 5)
71e593 
 #define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
71e593 
 #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
71e593 
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
71e593
71e593 
 #define SSS_NSS_MAX_ENTRIES 256
71e593 
 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
71e593 
--
71e593 
2.14.4
71e593

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation