From caf7ff9935ce26fa3aba404d9003b8fbcfeb391b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 17 Sep 2018 17:54:26 +0200 Subject: [PATCH 40/47] pam_sss: add try_cert_auth option With this new option pam_sss can be configured to only do Smartcard authentication or return an error if this is not possible. Related to https://pagure.io/SSSD/sssd/issue/3650 Reviewed-by: Jakub Hrozek (cherry picked from commit d3a18f06162b9585d2db936472b75fdbff37162d) --- src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++ src/sss_client/pam_sss.c | 9 +++++++++ src/sss_client/sss_cli.h | 1 + 3 files changed, 33 insertions(+) diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index d8e6a2041a17814b0ad506170645a5983cc05704..ca2e8e20678d102525a9252678dd83459c3338ac 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -50,6 +50,9 @@ prompt_always + + try_cert_auth + @@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name + + + + + + + Try to use certificate based authentication, i.e. + authentication with a Smartcard or similar devices. If a + Smartcard is available and the service is allowed for + Smartcard authentication the use will be prompted for a + PIN and the certificate based authentication will + continue + + + If no Smartcard is available or certificate based + authentication is not allowed for the current service + PAM_AUTHINFO_UNAVAIL is returned. + + + diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index b336d1f6197b09c062dd4ece836e088e52fe7393..96ff15adad867aceae17431cd5256ae52e4b9306 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME; } else if (strcmp(*argv, "prompt_always") == 0) { *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS; + } else if (strcmp(*argv, "try_cert_auth") == 0) { + *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, } } + if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH + && pi.cert_list == NULL) { + D(("No certificates for authentication available.")); + overwrite_and_free_pam_items(&pi); + return PAM_AUTHINFO_UNAVAIL; + } + if (strcmp(pi.pam_service, "gdm-smartcard") == 0) { ret = check_login_token_name(pamh, &pi, quiet_mode); if (ret != PAM_SUCCESS) { diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 3404715d811332e9013f3f88cb733c62147fb502..38e3f999d799556a56ac08f0f3a6b538b8cde9f3 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -373,6 +373,7 @@ enum pam_item_type { #define PAM_CLI_FLAGS_USE_2FA (1 << 5) #define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6) #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7) +#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8) #define SSS_NSS_MAX_ENTRIES 256 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4) -- 2.14.4