summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2012-10-18 12:49:38 -0400
committerSimo Sorce <simo@redhat.com>2013-01-10 12:24:59 -0500
commitc83e409297711e6012a164cc929c758a3f38e9b9 (patch)
tree42930e80d13d5bbe26e12891499677db0e26c8e6 /src/providers/krb5
parent4c2cf6607ddc82c5061d805c11e163de4bc1bd82 (diff)
downloadsssd-c83e409297711e6012a164cc929c758a3f38e9b9.tar.gz
sssd-c83e409297711e6012a164cc929c758a3f38e9b9.tar.xz
sssd-c83e409297711e6012a164cc929c758a3f38e9b9.zip
Code can only check for cached passwords
Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_auth.c21
1 files changed, 17 insertions, 4 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 94bbe4854..bd014a49d 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -278,16 +278,23 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
struct pam_data *pd, uid_t uid,
int *pam_status, int *dp_err)
{
+ char *password = NULL;
errno_t ret;
- ret = sysdb_cache_auth(sysdb, pd->user, pd->authtok,
- pd->authtok_size, cdb, true, NULL,
- NULL);
+ password = talloc_strndup(state, pd->authtok, pd->authtok_size);
+ if (!password) {
+ DEBUG(0, ("Out of memory copying password\n"));
+ *pam_status = PAM_SYSTEM_ERR;
+ *dp_err = DP_ERR_OK;
+ return;
+ }
+
+ ret = sysdb_cache_auth(sysdb, pd->user, password, cdb, true, NULL, NULL);
if (ret != EOK) {
DEBUG(1, ("Offline authentication failed\n"));
*pam_status = cached_login_pam_status(ret);
*dp_err = DP_ERR_OK;
- return;
+ goto done;
}
ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid);
@@ -297,6 +304,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
}
*pam_status = PAM_AUTHINFO_UNAVAIL;
*dp_err = DP_ERR_OFFLINE;
+
+done:
+ if (password) {
+ for (i = 0; password[i]; i++) password[i] = 0;
+ talloc_zfree(password);
+ }
}
static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr,