diff options
| author | Pavel Reichl <preichl@redhat.com> | 2015-02-11 19:38:16 -0500 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-02-23 13:47:47 +0100 |
| commit | a61d6d01a4e89ec14175af135e84f1cac55af748 (patch) | |
| tree | 309f9c46dcd60a1d933ebdc126011739418215fa /src/responder/pam/pamsrv_cmd.c | |
| parent | fa0a9bad84d060a1adf8dd44f35d366e14f54d58 (diff) | |
| download | sssd-a61d6d01a4e89ec14175af135e84f1cac55af748.tar.gz sssd-a61d6d01a4e89ec14175af135e84f1cac55af748.tar.xz sssd-a61d6d01a4e89ec14175af135e84f1cac55af748.zip | |
PAM: do not reject abruptly
If account has expired then pass message.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/responder/pam/pamsrv_cmd.c')
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 90cdbec51..c874cae61 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -44,6 +44,54 @@ enum pam_verbosity { static void pam_reply(struct pam_auth_req *preq); +static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx, + const char *user_error_message, + size_t *resp_len, + uint8_t **_resp) +{ + uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED; + size_t err_len; + uint8_t *resp; + size_t p; + + err_len = strlen(user_error_message); + *resp_len = 2 * sizeof(uint32_t) + err_len; + resp = talloc_size(mem_ctx, *resp_len); + if (resp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + p = 0; + SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p); + SAFEALIGN_SET_UINT32(&resp[p], err_len, &p); + safealign_memcpy(&resp[p], user_error_message, err_len, &p); + if (p != *resp_len) { + DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n"); + } + + *_resp = resp; + return EOK; +} + +static void inform_account_expired(struct pam_data* pd) +{ + size_t msg_len; + uint8_t *msg; + errno_t ret; + + ret = pack_user_info_account_expired(pd, "", &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_user_info_account_expired failed.\n"); + } else { + ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } +} + static bool is_domain_requested(struct pam_data *pd, const char *domain_name) { int i; @@ -609,6 +657,11 @@ static void pam_reply(struct pam_auth_req *preq) goto done; } + if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL && + strcasecmp(pd->service, "sshd") == 0) { + inform_account_expired(pd); + } + ret = filter_responses(pctx->rctx->cdb, pd->resp_list); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "filter_responses failed, not fatal.\n"); |