|
 |
ecf709 |
From 01ed8c7d7fcd9090d0953f85ef0604cbcad4f48b Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Thu, 16 Mar 2017 20:43:08 +0100
|
|
|
ecf709 |
Subject: [PATCH 57/60] krb5: return to responder that pkinit is not available
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
If pkinit is not available for a user but other authentication methods
|
|
|
ecf709 |
are SSSD should still fall back to local certificate based
|
|
|
ecf709 |
authentication if Smartcard credentials are provided.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves https://pagure.io/SSSD/sssd/issue/3343
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/providers/krb5/krb5_child.c | 17 +++++++++++++----
|
|
|
ecf709 |
1 file changed, 13 insertions(+), 4 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
|
|
|
ecf709 |
--- a/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
ecf709 |
@@ -42,6 +42,10 @@
|
|
|
ecf709 |
|
|
|
ecf709 |
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
|
|
|
ecf709 |
|
|
|
ecf709 |
+#define IS_SC_AUTHTOK(tok) ( \
|
|
|
ecf709 |
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
|
|
|
ecf709 |
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
|
|
|
ecf709 |
+
|
|
|
ecf709 |
enum k5c_fast_opt {
|
|
|
ecf709 |
K5C_FAST_NEVER,
|
|
|
ecf709 |
K5C_FAST_TRY,
|
|
|
ecf709 |
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
|
|
|
ecf709 |
* pre-auth module is missing or no Smartcard is inserted and only
|
|
|
ecf709 |
* pkinit is available KRB5_PREAUTH_FAILED is returned.
|
|
|
ecf709 |
* ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
|
|
|
ecf709 |
- * frontend that local authentication might be tried. */
|
|
|
ecf709 |
+ * frontend that local authentication might be tried.
|
|
|
ecf709 |
+ * Same is true if Smartcard credentials are given but only other
|
|
|
ecf709 |
+ * authentication methods are available. */
|
|
|
ecf709 |
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
|
ecf709 |
&& kerr == KRB5_PREAUTH_FAILED
|
|
|
ecf709 |
- && kr->password_prompting == false
|
|
|
ecf709 |
- && kr->otp == false
|
|
|
ecf709 |
- && kr->pkinit_prompting == false) {
|
|
|
ecf709 |
+ && kr->pkinit_prompting == false
|
|
|
ecf709 |
+ && (( kr->password_prompting == false
|
|
|
ecf709 |
+ && kr->otp == false)
|
|
|
ecf709 |
+ || ((kr->otp == true
|
|
|
ecf709 |
+ || kr->password_prompting == true)
|
|
|
ecf709 |
+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
|
|
|
ecf709 |
return ERR_NO_AUTH_METHOD_AVAILABLE;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
return kerr;
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|