diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2009-10-22 11:58:06 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2009-10-22 15:43:01 -0400 |
| commit | c2d7b2271eafd27b41736624e4e5da121073279d (patch) | |
| tree | 517d165f3f229b4783d5568fd06a1b8a80d089ad /server/responder/pam/pamsrv_cache.c | |
| parent | ff75b1a0e342f694589c46d9d59c509ac69be980 (diff) | |
| download | sssd-c2d7b2271eafd27b41736624e4e5da121073279d.tar.gz sssd-c2d7b2271eafd27b41736624e4e5da121073279d.tar.xz sssd-c2d7b2271eafd27b41736624e4e5da121073279d.zip | |
Add support for offline auth cache timeout
This adds a new option (offline_credentials_expiration) to the
[PAM] section of the sssd.conf
If the user does not perform an online authentication within the
timeout (in days), they will be denied auth once the timeout
passes.
Diffstat (limited to 'server/responder/pam/pamsrv_cache.c')
| -rw-r--r-- | server/responder/pam/pamsrv_cache.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/server/responder/pam/pamsrv_cache.c b/server/responder/pam/pamsrv_cache.c index 9c5c209f2..1e1c54443 100644 --- a/server/responder/pam/pamsrv_cache.c +++ b/server/responder/pam/pamsrv_cache.c @@ -61,17 +61,21 @@ static void pam_cache_auth_callback(void *pvt, int ldb_status, struct ldb_result *res) { struct pam_auth_req *preq; + struct pam_ctx *pctx; struct pam_data *pd; const char *userhash; char *comphash; char *password = NULL; int i, ret; + uint64_t lastLogin = 0; preq = talloc_get_type(pvt, struct pam_auth_req); pd = preq->pd; + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + if (ldb_status != LDB_SUCCESS) { - DEBUG(4, ("User info retireval failed! (%d [%s])\n", + DEBUG(4, ("User info retrieval failed! (%d [%s])\n", ldb_status, sysdb_error_to_errno(ldb_status))); ret = PAM_SYSTEM_ERR; @@ -86,12 +90,23 @@ static void pam_cache_auth_callback(void *pvt, int ldb_status, } if (res->count != 1) { - DEBUG(4, ("Too manyt results for user [%s@%s].\n", + DEBUG(4, ("Too many results for user [%s@%s].\n", pd->user, preq->domain->name)); ret = PAM_SYSTEM_ERR; goto done; } + /* Check offline_auth_cache_timeout */ + lastLogin = ldb_msg_find_attr_as_uint64(res->msgs[0], + SYSDB_LAST_ONLINE_AUTH, + 0); + if (pctx->cred_expiration && + lastLogin + (pctx->cred_expiration * 86400) < time(NULL)) { + DEBUG(4, ("Cached user entry is too old.")); + ret = PAM_AUTHINFO_UNAVAIL; + goto done; + } + /* TODO: verify user account (failed logins, disabled, expired ...) */ ret = authtok2str(preq, pd->authtok, pd->authtok_size, &password); @@ -139,6 +154,7 @@ int pam_cache_auth(struct pam_auth_req *preq) SYSDB_CACHEDPWD, SYSDB_DISABLED, SYSDB_LAST_LOGIN, + SYSDB_LAST_ONLINE_AUTH, "lastCachedPasswordChange", "accountExpires", "failedLoginAttempts", |