diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-10-20 22:21:25 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-07 15:12:52 +0100 |
| commit | 2368a0fc19bcd56581eccd8397289e4513a383a5 (patch) | |
| tree | 91eb45d18a803017e0caad7c07a0069615bd0cf3 /src/sss_client/pam_sss.c | |
| parent | 4c713fb79bfdef602021be890ee687fc3743ebb9 (diff) | |
| download | sssd-2368a0fc19bcd56581eccd8397289e4513a383a5.tar.gz sssd-2368a0fc19bcd56581eccd8397289e4513a383a5.tar.xz sssd-2368a0fc19bcd56581eccd8397289e4513a383a5.zip | |
PAM: Remove authtok from PAM stack with OTP
We remove the password from the PAM stack when OTP is used to make sure
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
and have to request a password on their own.
Resolves:
https://fedorahosted.org/sssd/ticket/2287
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Diffstat (limited to 'src/sss_client/pam_sss.c')
| -rw-r--r-- | src/sss_client/pam_sss.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index abe9b0547..d64e826da 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str, return rp; } -static void overwrite_and_free_pam_items(struct pam_items *pi) +static void overwrite_and_free_authtoks(struct pam_items *pi) { if (pi->pam_authtok != NULL) { _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size); @@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi) pi->pamstack_authtok = NULL; pi->pamstack_oldauthtok = NULL; +} + +static void overwrite_and_free_pam_items(struct pam_items *pi) +{ + overwrite_and_free_authtoks(pi); free(pi->domain_name); pi->domain_name = NULL; @@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, D(("do_pam_conversation failed.")); } break; + case SSS_OTP: + D(("OTP was used, removing authtokens.")); + overwrite_and_free_authtoks(pi); + ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to remove PAM_AUTHTOK after using otp [%s]", + pam_strerror(pamh,ret))); + } + break; default: D(("Unknown response type [%d]", type)); } |