diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-18 16:48:11 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2014-03-26 09:56:23 +0100 |
| commit | 3983d81f461a4f17736a516eb595f54df4bf4336 (patch) | |
| tree | dda3d53fe7d5826878e3e07246cea191c4fa0a8d /src/providers/krb5/krb5_auth.c | |
| parent | 6bbff437dcea7e56d71cf119d1391be7264dfaf0 (diff) | |
| download | sssd-3983d81f461a4f17736a516eb595f54df4bf4336.tar.gz sssd-3983d81f461a4f17736a516eb595f54df4bf4336.tar.xz sssd-3983d81f461a4f17736a516eb595f54df4bf4336.zip | |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 661084ad3..f539d5068 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -827,6 +827,7 @@ static void krb5_auth_done(struct tevent_req *subreq) char *renew_interval_str; time_t renew_interval_time = 0; bool use_enterprise_principal; + uint32_t user_info_type; ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); @@ -1076,9 +1077,23 @@ static void krb5_auth_done(struct tevent_req *subreq) ret = sss_krb5_check_ccache_princ(kr->uid, kr->gid, kr->ccname, kr->upn); if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, - "No ccache for %s in %s?\n", kr->upn, kr->ccname); - goto done; + if (res->otp == true && pd->cmd == SSS_PAM_CHAUTHTOK) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "Password change succeeded but currently " + "post-chpass kinit is not implemented\n"); + + user_info_type = SSS_PAM_USER_INFO_OTP_CHPASS; + ret = pam_add_response(pd, SSS_PAM_USER_INFO, sizeof(uint32_t), + (const uint8_t *) &user_info_type); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + /* Not fatal */ + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "No ccache for %s in %s?\n", kr->upn, kr->ccname); + goto done; + } } if (kr->old_ccname) { |