rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0088-pam_sss-fix-for-old-GDM-screen-lock.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   71ae415f6e84f9ae87d683021626d96a4efd2c83
  2.   SOURCES
  3.   0088-pam_sss-fix-for-old-GDM-screen-lock.patch
Blob History Raw
1ad1a2 
From ddfc7e99e96ee732586c07342900d287d2378802 Mon Sep 17 00:00:00 2001
1ad1a2 
From: Sumit Bose <sbose@redhat.com>
1ad1a2 
Date: Mon, 30 May 2022 11:56:24 +0200
1ad1a2 
Subject: [PATCH 88/88] pam_sss: fix for old GDM screen lock
1ad1a2 
MIME-Version: 1.0
1ad1a2 
Content-Type: text/plain; charset=UTF-8
1ad1a2 
Content-Transfer-Encoding: 8bit
1ad1a2
1ad1a2 
In contrast to the login screen the lock screen of older GDM versions
1ad1a2 
does not restart PAM if a new Smartcard is inserted. So the user must
1ad1a2 
press the enter key explicitly restart PAM. This patch uses a dedicated
1ad1a2 
prompt in this case and overwrites any other error message shown in
1ad1a2 
between.
1ad1a2
1ad1a2 
Resolves: https://github.com/SSSD/sssd/issues/6022
1ad1a2
1ad1a2 
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
1ad1a2 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
1ad1a2 
---
1ad1a2 
 src/sss_client/pam_sss.c | 18 +++++++++++++++++-
1ad1a2 
 1 file changed, 17 insertions(+), 1 deletion(-)
1ad1a2
1ad1a2 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
1ad1a2 
index feb4837fb..db41fdb67 100644
1ad1a2 
--- a/src/sss_client/pam_sss.c
1ad1a2 
+++ b/src/sss_client/pam_sss.c
1ad1a2 
@@ -1788,6 +1788,7 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
 }
1ad1a2
1ad1a2 
 #define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard")
1ad1a2 
+#define SC_INSERT_PROMPT_ENTER _("Please (re)insert (different) Smartcard and press enter")
1ad1a2
1ad1a2 
 static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
 {
1ad1a2 
@@ -1802,7 +1803,16 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
     struct cert_auth_info *cai = pi->selected_cert;
1ad1a2
1ad1a2 
     if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
1ad1a2 
-        ret = asprintf(&prompt, SC_INSERT_PROMPT);
1ad1a2 
+        /* Older versions of the GDM screen lock do not restart PAM if a
1ad1a2 
+         * Smartcard is removed and inserted again in contrast to the login
1ad1a2 
+         * screen. The PKCS11_LOGIN_TOKEN_NAME enviroment variable is used to
1ad1a2 
+         * detect the screen lock mode and the user is prompted to press the
1ad1a2 
+         * enter key. */
1ad1a2 
+        if (getenv("PKCS11_LOGIN_TOKEN_NAME") == NULL) {
1ad1a2 
+            ret = asprintf(&prompt, SC_INSERT_PROMPT);
1ad1a2 
+        } else {
1ad1a2 
+            ret = asprintf(&prompt, SC_INSERT_PROMPT_ENTER);
1ad1a2 
+        }
1ad1a2 
     } else if (cai == NULL || cai->token_name == NULL
1ad1a2 
                     || *cai->token_name == '\0') {
1ad1a2 
         return PAM_SYSTEM_ERR;
1ad1a2 
@@ -1820,6 +1830,12 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
1ad1a2 
         if (ret != PAM_SUCCESS) {
1ad1a2 
             D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
1ad1a2 
         }
1ad1a2 
+    } else {
1ad1a2 
+        /* clear previous messages, if any */
1ad1a2 
+        ret = do_pam_conversation(pamh, PAM_TEXT_INFO, "", NULL, NULL);
1ad1a2 
+        if (ret != PAM_SUCCESS) {
1ad1a2 
+            D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
1ad1a2 
+        }
1ad1a2 
     }
1ad1a2
1ad1a2 
     if (pi->user_name_hint) {
1ad1a2 
--
1ad1a2 
2.35.3
1ad1a2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation