diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-18 16:48:11 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2014-03-26 11:24:03 +0100 |
| commit | 1c1693ee1a74f27caaef416d9dce5c14b0ad53f9 (patch) | |
| tree | 257a924f87f5c3694348bbd4544ea6a7f2afa5f7 /src/providers/krb5/krb5_child.c | |
| parent | cf13b90a3976158fca70523815ad934f177d424b (diff) | |
| download | sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.tar.gz sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.tar.xz sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.zip | |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/providers/krb5/krb5_child.c')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index d000d7016..3ee49e467 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -45,6 +45,7 @@ struct krb5_req { krb5_principal princ; char* name; krb5_creds *creds; + bool otp; krb5_get_init_creds_opt *options; struct pam_data *pd; @@ -370,6 +371,8 @@ static krb5_error_code answer_otp(krb5_context ctx, goto done; } + kr->otp = true; + /* Validate our assumptions about the contents of authtok. */ ret = sss_authtok_get_password(kr->pd->authtok, &pwd, &len); if (ret != EOK) @@ -694,6 +697,8 @@ static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error) size_t len; int ret; + DEBUG(SSSDBG_FUNC_DATA, ("Received error code %d\n", error)); + ret = pack_response_packet(kr, error, kr->pd->resp_list, &buf, &len); if (ret != EOK) { DEBUG(1, ("pack_response_packet failed.\n")); @@ -1110,6 +1115,8 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, kr->options); + DEBUG(SSSDBG_TRACE_INTERNAL, + ("chpass is%s using OTP\n", kr->otp ? "" : " not")); if (kerr != 0) { ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.", &msg_len, &msg); @@ -1205,6 +1212,11 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) krb5_free_cred_contents(kr->ctx, kr->creds); + if (kr->otp == true) { + sss_authtok_set_empty(kr->pd->newauthtok); + return map_krb5_error(kerr); + } + /* We changed some of the gic options for the password change, now we have * to change them back to get a fresh TGT. */ revert_changepw_options(kr->options); |