rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0087-pam-better-SC-fallback-message.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1ad1a28fdc2ba9dedbba988c6a3964cd04c76394
  2.   SOURCES
  3.   0087-pam-better-SC-fallback-message.patch
Blob History Raw
1ad1a2 
From bcb392e60c1935a98738988c5289585acd89ce82 Mon Sep 17 00:00:00 2001
1ad1a2 
From: Sumit Bose <sbose@redhat.com>
1ad1a2 
Date: Mon, 21 Feb 2022 18:02:47 +0100
1ad1a2 
Subject: [PATCH 87/88] pam: better SC fallback message
1ad1a2 
MIME-Version: 1.0
1ad1a2 
Content-Type: text/plain; charset=UTF-8
1ad1a2 
Content-Transfer-Encoding: 8bit
1ad1a2
1ad1a2 
If no suitable certificates were found or if gdm-smartcard was somehow
1ad1a2 
activated without a Smartcard present ask to (re)-insert a Smartcard.
1ad1a2
1ad1a2 
Resolves: https://github.com/SSSD/sssd/issues/6022
1ad1a2
1ad1a2 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
1ad1a2 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
1ad1a2 
(cherry picked from commit 4d2277f8c3065771a8c3bbc7938309a4905640f0)
1ad1a2
1ad1a2 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
1ad1a2 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
1ad1a2 
---
1ad1a2 
 src/sss_client/pam_sss.c | 47 +++++++++++++++++++++++-----------------
1ad1a2 
 1 file changed, 27 insertions(+), 20 deletions(-)
1ad1a2
1ad1a2 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
1ad1a2 
index 7084ce953..feb4837fb 100644
1ad1a2 
--- a/src/sss_client/pam_sss.c
1ad1a2 
+++ b/src/sss_client/pam_sss.c
1ad1a2 
@@ -1787,40 +1787,39 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
     return ret;
1ad1a2 
 }
1ad1a2
1ad1a2 
+#define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard")
1ad1a2 
+
1ad1a2 
 static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
 {
1ad1a2 
     int ret;
1ad1a2 
     char *answer = NULL;
1ad1a2 
-    char *prompt;
1ad1a2 
-    size_t size;
1ad1a2 
+    char *prompt = NULL;
1ad1a2 
     size_t needed_size;
1ad1a2 
     const struct pam_conv *conv;
1ad1a2 
     const struct pam_message *mesg[2] = { NULL, NULL };
1ad1a2 
     struct pam_message m[2] = { { 0 }, { 0 } };
1ad1a2 
     struct pam_response *resp = NULL;
1ad1a2 
     struct cert_auth_info *cai = pi->selected_cert;
1ad1a2 
-    struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
1ad1a2 
-                                        NULL, NULL, NULL, NULL, NULL, NULL };
1ad1a2
1ad1a2 
     if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
1ad1a2 
-        cai = &empty_cai;
1ad1a2 
+        ret = asprintf(&prompt, SC_INSERT_PROMPT);
1ad1a2 
     } else if (cai == NULL || cai->token_name == NULL
1ad1a2 
                     || *cai->token_name == '\0') {
1ad1a2 
-        return EINVAL;
1ad1a2 
+        return PAM_SYSTEM_ERR;
1ad1a2 
+    } else {
1ad1a2 
+        ret = asprintf(&prompt, SC_PROMPT_FMT, cai->token_name);
1ad1a2 
     }
1ad1a2
1ad1a2 
-    size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name);
1ad1a2 
-    prompt = malloc(size);
1ad1a2 
-    if (prompt == NULL) {
1ad1a2 
-        D(("malloc failed."));
1ad1a2 
-        return ENOMEM;
1ad1a2 
+    if (ret == -1) {
1ad1a2 
+        D(("asprintf failed."));
1ad1a2 
+        return PAM_SYSTEM_ERR;
1ad1a2 
     }
1ad1a2
1ad1a2 
-    ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name);
1ad1a2 
-    if (ret < 0 || ret >= size) {
1ad1a2 
-        D(("snprintf failed."));
1ad1a2 
-        free(prompt);
1ad1a2 
-        return EFAULT;
1ad1a2 
+    if (cai == NULL) {
1ad1a2 
+        ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
1ad1a2 
+        if (ret != PAM_SUCCESS) {
1ad1a2 
+            D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
1ad1a2 
+        }
1ad1a2 
     }
1ad1a2
1ad1a2 
     if (pi->user_name_hint) {
1ad1a2 
@@ -1907,10 +1906,18 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
         }
1ad1a2 
     }
1ad1a2
1ad1a2 
-    if (answer == NULL) {
1ad1a2 
-        pi->pam_authtok = NULL;
1ad1a2 
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1ad1a2 
-        pi->pam_authtok_size=0;
1ad1a2 
+    if (cai == NULL) {
1ad1a2 
+        /* it is expected that the user just replaces the Smartcard which
1ad1a2 
+         * would trigger gdm to restart the PAM module, so it is not
1ad1a2 
+         * expected that this part of the code is reached. */
1ad1a2 
+        ret = PAM_AUTHINFO_UNAVAIL;
1ad1a2 
+        goto done;
1ad1a2 
+    }
1ad1a2 
+
1ad1a2 
+    if (answer == NULL || *answer == '\0') {
1ad1a2 
+        D(("Missing PIN."));
1ad1a2 
+        ret = PAM_CRED_INSUFFICIENT;
1ad1a2 
+        goto done;
1ad1a2 
     } else {
1ad1a2
1ad1a2 
         ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0,
1ad1a2 
--
1ad1a2 
2.35.3
1ad1a2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation