diff options
author | Sumit Bose <sbose@redhat.com> | 2015-07-23 15:56:44 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-29 17:24:26 +0200 |
commit | b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe (patch) | |
tree | 222f9eb40db1a404b0f4658f14a0b23981c2dc91 | |
parent | b0ee27fd94f1d20d9c220754ae008a3189752287 (diff) | |
download | sssd-b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe.tar.gz sssd-b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe.tar.xz sssd-b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe.zip |
krb5: do not send SSS_OTP if two factors were used
Resolves https://fedorahosted.org/sssd/ticket/2729
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index c94f2b26f..1c55ec3fc 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq) krb5_auth_store_creds(state->domain, pd); } - if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) { + /* The SSS_OTP message will prevent pam_sss from putting the entered + * password on the PAM stack for other modules to use. This is not needed + * when both factors were entered separately because here the first factor + * (long term password) can be passed to the other modules. */ + if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE + && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) { uint32_t otp_flag = 1; ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t), (const uint8_t *) &otp_flag); |