diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-06 13:41:14 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-06 20:19:15 +0200 |
commit | 7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4 (patch) | |
tree | 6eb6586b0271f268a9fa75ed1c7fa87421f3d962 | |
parent | 6aff93510b36799c1773d368cc218cd533c43161 (diff) | |
download | sssd-7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4.tar.gz sssd-7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4.tar.xz sssd-7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4.zip |
PAM: Only cache first-factor
Reviewed-by: Sumit Bose <sbose@redhat.com>
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index c144406aa..9c32f40ff 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1492,9 +1492,26 @@ static bool pam_is_cmd_cachable(int cmd) return is_cachable; } +static bool pam_is_authtok_cachable(struct sss_auth_token *authtok) +{ + enum sss_authtok_type type; + bool cachable = false; + + type = sss_authtok_get_type(authtok); + if (type == SSS_AUTHTOK_TYPE_PASSWORD) { + cachable = true; + } else { + DEBUG(SSSDBG_TRACE_LIBS, "Authentication token can't be cached\n"); + } + + return cachable; +} + static bool pam_can_user_cache_auth(struct confdb_ctx *cdb, struct sss_domain_info *domain, - int pam_cmd, const char* user, + int pam_cmd, + struct sss_auth_token *authtok, + const char* user, bool cached_auth_failed) { errno_t ret; @@ -1503,6 +1520,7 @@ static bool pam_can_user_cache_auth(struct confdb_ctx *cdb, if (!cached_auth_failed /* don't try cached auth again */ && domain->cache_credentials && domain->cached_auth_timeout > 0 + && pam_is_authtok_cachable(authtok) && pam_is_cmd_cachable(pam_cmd)) { ret = pam_is_last_online_login_fresh(domain, user, cdb, @@ -1553,6 +1571,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) if (pam_can_user_cache_auth(pctx->rctx->cdb, preq->domain, preq->pd->cmd, + preq->pd->authtok, preq->pd->user, preq->cached_auth_failed)) { preq->use_cached_auth = true; |