summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2015-07-06 13:41:14 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-07-06 20:19:15 +0200
commit7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4 (patch)
tree6eb6586b0271f268a9fa75ed1c7fa87421f3d962
parent6aff93510b36799c1773d368cc218cd533c43161 (diff)
downloadsssd-7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4.tar.gz
sssd-7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4.tar.xz
sssd-7e798b94cfffe7bf8f7b477d540b95d52ca1f6e4.zip
PAM: Only cache first-factor
Reviewed-by: Sumit Bose <sbose@redhat.com>
-rw-r--r--src/responder/pam/pamsrv_cmd.c21
1 files changed, 20 insertions, 1 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c144406aa..9c32f40ff 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1492,9 +1492,26 @@ static bool pam_is_cmd_cachable(int cmd)
return is_cachable;
}
+static bool pam_is_authtok_cachable(struct sss_auth_token *authtok)
+{
+ enum sss_authtok_type type;
+ bool cachable = false;
+
+ type = sss_authtok_get_type(authtok);
+ if (type == SSS_AUTHTOK_TYPE_PASSWORD) {
+ cachable = true;
+ } else {
+ DEBUG(SSSDBG_TRACE_LIBS, "Authentication token can't be cached\n");
+ }
+
+ return cachable;
+}
+
static bool pam_can_user_cache_auth(struct confdb_ctx *cdb,
struct sss_domain_info *domain,
- int pam_cmd, const char* user,
+ int pam_cmd,
+ struct sss_auth_token *authtok,
+ const char* user,
bool cached_auth_failed)
{
errno_t ret;
@@ -1503,6 +1520,7 @@ static bool pam_can_user_cache_auth(struct confdb_ctx *cdb,
if (!cached_auth_failed /* don't try cached auth again */
&& domain->cache_credentials
&& domain->cached_auth_timeout > 0
+ && pam_is_authtok_cachable(authtok)
&& pam_is_cmd_cachable(pam_cmd)) {
ret = pam_is_last_online_login_fresh(domain, user, cdb,
@@ -1553,6 +1571,7 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
if (pam_can_user_cache_auth(pctx->rctx->cdb,
preq->domain,
preq->pd->cmd,
+ preq->pd->authtok,
preq->pd->user,
preq->cached_auth_failed)) {
preq->use_cached_auth = true;