|
 |
d6181b |
From e989620bd2b4f7094dee3ef740ba92d0cf45d0c8 Mon Sep 17 00:00:00 2001
|
|
|
d6181b |
From: Sumit Bose <sbose@redhat.com>
|
|
|
d6181b |
Date: Mon, 19 Aug 2019 17:38:04 +0200
|
|
|
d6181b |
Subject: [PATCH] pam: keep pin on the PAM stack for forward_pass
|
|
|
d6181b |
MIME-Version: 1.0
|
|
|
d6181b |
Content-Type: text/plain; charset=UTF-8
|
|
|
d6181b |
Content-Transfer-Encoding: 8bit
|
|
|
d6181b |
|
|
|
d6181b |
Currently only the password or the long-term part of a two-factor
|
|
|
d6181b |
authentication was kept on the PM stack if pam_sss.so has the option
|
|
|
d6181b |
forward_pass. With this patch the Smartcard PIN can be forwarded to
|
|
|
d6181b |
other PAM modules as well.
|
|
|
d6181b |
|
|
|
d6181b |
Related https://pagure.io/SSSD/sssd/issue/4067
|
|
|
d6181b |
|
|
|
d6181b |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
d6181b |
---
|
|
|
d6181b |
src/sss_client/pam_sss.c | 11 ++++++++++-
|
|
|
d6181b |
src/tests/cmocka/test_authtok.c | 5 +++++
|
|
|
d6181b |
src/util/authtok-utils.c | 33 +++++++++++++++++++++++++++++++++
|
|
|
d6181b |
src/util/authtok-utils.h | 10 ++++++++++
|
|
|
d6181b |
4 files changed, 58 insertions(+), 1 deletion(-)
|
|
|
d6181b |
|
|
|
d6181b |
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
|
d6181b |
index cfd3e3731..e36407b72 100644
|
|
|
d6181b |
--- a/src/sss_client/pam_sss.c
|
|
|
d6181b |
+++ b/src/sss_client/pam_sss.c
|
|
|
d6181b |
@@ -2116,6 +2116,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
|
d6181b |
uint32_t flags)
|
|
|
d6181b |
{
|
|
|
d6181b |
int ret;
|
|
|
d6181b |
+ const char *pin = NULL;
|
|
|
d6181b |
|
|
|
d6181b |
if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
|
d6181b |
|| ( pi->pamstack_authtok != NULL
|
|
|
d6181b |
@@ -2166,11 +2167,19 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
|
d6181b |
if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
|
|
d6181b |
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
|
|
|
d6181b |
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
|
|
|
d6181b |
+ } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_SC_PIN) {
|
|
|
d6181b |
+ pin = sss_auth_get_pin_from_sc_blob((uint8_t *) pi->pam_authtok,
|
|
|
d6181b |
+ pi->pam_authtok_size);
|
|
|
d6181b |
+ if (pin != NULL) {
|
|
|
d6181b |
+ ret = pam_set_item(pamh, PAM_AUTHTOK, pin);
|
|
|
d6181b |
+ } else {
|
|
|
d6181b |
+ ret = PAM_SYSTEM_ERR;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
|
|
|
d6181b |
&& pi->first_factor != NULL) {
|
|
|
d6181b |
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor);
|
|
|
d6181b |
} else {
|
|
|
d6181b |
- ret = EINVAL;
|
|
|
d6181b |
+ ret = PAM_SYSTEM_ERR;
|
|
|
d6181b |
}
|
|
|
d6181b |
if (ret != PAM_SUCCESS) {
|
|
|
d6181b |
D(("Failed to set PAM_AUTHTOK [%s], "
|
|
|
d6181b |
diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c
|
|
|
d6181b |
index 84e209783..a8f5bdee7 100644
|
|
|
d6181b |
--- a/src/tests/cmocka/test_authtok.c
|
|
|
d6181b |
+++ b/src/tests/cmocka/test_authtok.c
|
|
|
d6181b |
@@ -473,6 +473,11 @@ void test_sss_authtok_sc_blobs(void **state)
|
|
|
d6181b |
needed_size);
|
|
|
d6181b |
#endif
|
|
|
d6181b |
|
|
|
d6181b |
+ pin = sss_auth_get_pin_from_sc_blob(buf, needed_size);
|
|
|
d6181b |
+ assert_non_null(pin);
|
|
|
d6181b |
+ assert_string_equal(pin, "abc");
|
|
|
d6181b |
+ pin = NULL;
|
|
|
d6181b |
+
|
|
|
d6181b |
ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf,
|
|
|
d6181b |
needed_size);
|
|
|
d6181b |
assert_int_equal(ret, EOK);
|
|
|
d6181b |
diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c
|
|
|
d6181b |
index e7123df34..e50f86741 100644
|
|
|
d6181b |
--- a/src/util/authtok-utils.c
|
|
|
d6181b |
+++ b/src/util/authtok-utils.c
|
|
|
d6181b |
@@ -163,3 +163,36 @@ errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len,
|
|
|
d6181b |
|
|
|
d6181b |
return 0;
|
|
|
d6181b |
}
|
|
|
d6181b |
+
|
|
|
d6181b |
+const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len)
|
|
|
d6181b |
+{
|
|
|
d6181b |
+ size_t c = 0;
|
|
|
d6181b |
+ uint32_t pin_len;
|
|
|
d6181b |
+ uint32_t token_name_len;
|
|
|
d6181b |
+ uint32_t module_name_len;
|
|
|
d6181b |
+ uint32_t key_id_len;
|
|
|
d6181b |
+
|
|
|
d6181b |
+ if (blob == NULL || blob_len == 0) {
|
|
|
d6181b |
+ return NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ SAFEALIGN_COPY_UINT32(&pin_len, blob, &c);
|
|
|
d6181b |
+ if (pin_len == 0) {
|
|
|
d6181b |
+ return NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c);
|
|
|
d6181b |
+ SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c);
|
|
|
d6181b |
+ SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c);
|
|
|
d6181b |
+
|
|
|
d6181b |
+ if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len
|
|
|
d6181b |
+ + module_name_len + key_id_len) {
|
|
|
d6181b |
+ return NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ if (blob[c + pin_len - 1] != '\0') {
|
|
|
d6181b |
+ return NULL;
|
|
|
d6181b |
+ }
|
|
|
d6181b |
+
|
|
|
d6181b |
+ return (const char *) blob + c;
|
|
|
d6181b |
+}
|
|
|
d6181b |
diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h
|
|
|
d6181b |
index c5aace39f..714c8187e 100644
|
|
|
d6181b |
--- a/src/util/authtok-utils.h
|
|
|
d6181b |
+++ b/src/util/authtok-utils.h
|
|
|
d6181b |
@@ -123,4 +123,14 @@ errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx,
|
|
|
d6181b |
char **token_name, size_t *_token_name_len,
|
|
|
d6181b |
char **module_name, size_t *_module_name_len,
|
|
|
d6181b |
char **key_id, size_t *_key_id_len);
|
|
|
d6181b |
+
|
|
|
d6181b |
+/**
|
|
|
d6181b |
+ * @brief Return a pointer to the PIN string in the memory buffer
|
|
|
d6181b |
+ *
|
|
|
d6181b |
+ * @param[in] blob Memory buffer containing the 2FA data
|
|
|
d6181b |
+ * @param[in] blob_len Size of the memory buffer
|
|
|
d6181b |
+ *
|
|
|
d6181b |
+ * @return pointer to 0-terminate PIN string in the memory buffer
|
|
|
d6181b |
+ */
|
|
|
d6181b |
+const char *sss_auth_get_pin_from_sc_blob(uint8_t *blob, size_t blob_len);
|
|
|
d6181b |
#endif /* __AUTHTOK_UTILS_H__ */
|
|
|
d6181b |
--
|
|
|
d6181b |
2.20.1
|
|
|
d6181b |
|