diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-06 13:41:14 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-07-06 13:41:14 +0200 |
commit | 848ccf531afebe54be5d9c120fa90c18b0749cfe (patch) | |
tree | 1501c62f347928c199c74fd4ba475ffacd736bf7 | |
parent | 6ee2011575f9077f7ba204e063cb108b25ca815c (diff) | |
download | sssd-848ccf531afebe54be5d9c120fa90c18b0749cfe.tar.gz sssd-848ccf531afebe54be5d9c120fa90c18b0749cfe.tar.xz sssd-848ccf531afebe54be5d9c120fa90c18b0749cfe.zip |
PAM: Only cache first-factor
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 27cca8909..ed4fef34a 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1491,9 +1491,26 @@ static bool pam_is_cmd_cachable(int cmd) return is_cachable; } +static bool pam_is_authtok_cachable(struct sss_auth_token *authtok) +{ + enum sss_authtok_type type; + bool cachable = false; + + type = sss_authtok_get_type(authtok); + if (type == SSS_AUTHTOK_TYPE_PASSWORD) { + cachable = true; + } else { + DEBUG(SSSDBG_TRACE_LIBS, "Authentication token can't be cached\n"); + } + + return cachable; +} + static bool pam_can_user_cache_auth(struct confdb_ctx *cdb, struct sss_domain_info *domain, - int pam_cmd, const char* user, + int pam_cmd, + struct sss_auth_token *authtok, + const char* user, bool cached_auth_failed) { errno_t ret; @@ -1502,6 +1519,7 @@ static bool pam_can_user_cache_auth(struct confdb_ctx *cdb, if (!cached_auth_failed /* don't try cached auth again */ && domain->cache_credentials && domain->cached_auth_timeout > 0 + && pam_is_authtok_cachable(authtok) && pam_is_cmd_cachable(pam_cmd)) { ret = pam_is_last_online_login_fresh(domain, user, cdb, @@ -1552,6 +1570,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq) if (pam_can_user_cache_auth(pctx->rctx->cdb, preq->domain, preq->pd->cmd, + preq->pd->authtok, preq->pd->user, preq->cached_auth_failed)) { preq->use_cached_auth = true; |