summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2015-07-06 13:41:14 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-07-06 13:41:14 +0200
commit848ccf531afebe54be5d9c120fa90c18b0749cfe (patch)
tree1501c62f347928c199c74fd4ba475ffacd736bf7
parent6ee2011575f9077f7ba204e063cb108b25ca815c (diff)
downloadsssd-848ccf531afebe54be5d9c120fa90c18b0749cfe.tar.gz
sssd-848ccf531afebe54be5d9c120fa90c18b0749cfe.tar.xz
sssd-848ccf531afebe54be5d9c120fa90c18b0749cfe.zip
PAM: Only cache first-factor
-rw-r--r--src/responder/pam/pamsrv_cmd.c21
1 files changed, 20 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 27cca8909..ed4fef34a 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1491,9 +1491,26 @@ static bool pam_is_cmd_cachable(int cmd)
return is_cachable;
}
+static bool pam_is_authtok_cachable(struct sss_auth_token *authtok)
+{
+ enum sss_authtok_type type;
+ bool cachable = false;
+
+ type = sss_authtok_get_type(authtok);
+ if (type == SSS_AUTHTOK_TYPE_PASSWORD) {
+ cachable = true;
+ } else {
+ DEBUG(SSSDBG_TRACE_LIBS, "Authentication token can't be cached\n");
+ }
+
+ return cachable;
+}
+
static bool pam_can_user_cache_auth(struct confdb_ctx *cdb,
struct sss_domain_info *domain,
- int pam_cmd, const char* user,
+ int pam_cmd,
+ struct sss_auth_token *authtok,
+ const char* user,
bool cached_auth_failed)
{
errno_t ret;
@@ -1502,6 +1519,7 @@ static bool pam_can_user_cache_auth(struct confdb_ctx *cdb,
if (!cached_auth_failed /* don't try cached auth again */
&& domain->cache_credentials
&& domain->cached_auth_timeout > 0
+ && pam_is_authtok_cachable(authtok)
&& pam_is_cmd_cachable(pam_cmd)) {
ret = pam_is_last_online_login_fresh(domain, user, cdb,
@@ -1552,6 +1570,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
if (pam_can_user_cache_auth(pctx->rctx->cdb,
preq->domain,
preq->pd->cmd,
+ preq->pd->authtok,
preq->pd->user,
preq->cached_auth_failed)) {
preq->use_cached_auth = true;