summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2015-03-27 15:20:13 +0100
committerSumit Bose <sbose@redhat.com>2015-05-08 09:14:26 +0200
commit219f5b698fa72c0d5a8da2b0dd99daec3f924c94 (patch)
tree1e7067b31d41138f8bf9c908549d7944e8da0927 /src/responder
parent2d0e7658198d1aa6e3926bf967ff683660249114 (diff)
downloadsssd-219f5b698fa72c0d5a8da2b0dd99daec3f924c94.tar.gz
sssd-219f5b698fa72c0d5a8da2b0dd99daec3f924c94.tar.xz
sssd-219f5b698fa72c0d5a8da2b0dd99daec3f924c94.zip
2FA offline auth
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/pam/pamsrv_cmd.c35
1 files changed, 32 insertions, 3 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index eeaa42ce7..1ca87a651 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -528,6 +528,34 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
pam_reply(preq);
}
+static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok,
+ const char **password)
+{
+ int ret;
+ size_t pw_len;
+ const char *fa2;
+ size_t fa2_len;
+
+ switch (sss_authtok_get_type(authtok)) {
+ case SSS_AUTHTOK_TYPE_PASSWORD:
+ ret = sss_authtok_get_password(authtok, password, NULL);
+ break;
+ case SSS_AUTHTOK_TYPE_2FA:
+ ret = sss_authtok_get_2fa(authtok, password, &pw_len, &fa2, &fa2_len);
+ break;
+ default:
+ DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported auth token type [%d].\n",
+ sss_authtok_get_type(authtok));
+ ret = EINVAL;
+ }
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
+ return ret;
+ }
+
+ return EOK;
+}
+
static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
time_t expire_date, time_t delayed_until);
@@ -587,9 +615,10 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- ret = sss_authtok_get_password(pd->authtok, &password, NULL);
- if (ret) {
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
+ ret = get_password_for_cache_auth(pd->authtok, &password);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "get_password_and_type_for_cache_auth failed.\n");
goto done;
}