diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-18 16:48:11 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2014-03-26 11:24:03 +0100 |
| commit | 1c1693ee1a74f27caaef416d9dce5c14b0ad53f9 (patch) | |
| tree | 257a924f87f5c3694348bbd4544ea6a7f2afa5f7 /src/providers/krb5/krb5_auth.c | |
| parent | cf13b90a3976158fca70523815ad934f177d424b (diff) | |
| download | sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.tar.gz sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.tar.xz sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.zip | |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index ce461f5ad..48c0746ef 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -815,6 +815,7 @@ static void krb5_auth_done(struct tevent_req *subreq) char *renew_interval_str; time_t renew_interval_time = 0; bool use_enterprise_principal; + uint32_t user_info_type; ret = handle_child_recv(subreq, pd, &buf, &len); talloc_zfree(subreq); @@ -1062,9 +1063,23 @@ static void krb5_auth_done(struct tevent_req *subreq) ret = sss_krb5_check_ccache_princ(kr->uid, kr->gid, kr->ccname, kr->upn); if (ret) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("No ccache for %s in %s?\n", kr->upn, kr->ccname)); - goto done; + if (res->otp == true && pd->cmd == SSS_PAM_CHAUTHTOK) { + DEBUG(SSSDBG_IMPORTANT_INFO, + ("Password change succeeded but currently " + "post-chpass kinit is not implemented\n")); + + user_info_type = SSS_PAM_USER_INFO_OTP_CHPASS; + ret = pam_add_response(pd, SSS_PAM_USER_INFO, sizeof(uint32_t), + (const uint8_t *) &user_info_type); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, ("pam_add_response failed.\n")); + /* Not fatal */ + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + ("No ccache for %s in %s?\n", kr->upn, kr->ccname)); + goto done; + } } if (kr->old_ccname) { |