PAM: Remove authtok from PAM stack with OTP

We remove the password from the PAM stack when OTP is used to make sure
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
and have to request a password on their own.

Resolves:
    https://fedorahosted.org/sssd/ticket/2287

Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f539d5068..c96b7aee9 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq)
         krb5_auth_store_creds(state->domain, pd);
     }
 
+    if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
+        uint32_t otp_flag = 1;
+        ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
+                               (const uint8_t *) &otp_flag);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "pam_add_response failed: %d (%s).\n",
+                  ret, sss_strerror(ret));
+            state->pam_status = PAM_SYSTEM_ERR;
+            state->dp_err = DP_ERR_OK;
+            goto done;
+        }
+    }
+
     state->pam_status = PAM_SUCCESS;
     state->dp_err = DP_ERR_OK;
     ret = EOK;