KRB5: Do not attempt to get a TGT after a password change using OTP

https://fedorahosted.org/sssd/ticket/2271

The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 19 insertions, 0 deletions

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 4ff38f299..e629fc19b 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -771,6 +771,22 @@ static int user_info_offline_chpass(pam_handle_t *pamh)
     return PAM_SUCCESS;
 }
 
+static int user_info_otp_chpass(pam_handle_t *pamh)
+{
+    int ret;
+
+    ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
+                              _("After changing the OTP password, you need to "
+                                "log out and back in order to acquire a ticket"),
+                              NULL, NULL);
+    if (ret != PAM_SUCCESS) {
+        D(("do_pam_conversation failed."));
+        return PAM_SYSTEM_ERR;
+    }
+
+    return PAM_SUCCESS;
+}
+
 static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
                                   uint8_t *buf)
 {
@@ -856,6 +872,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
         case SSS_PAM_USER_INFO_OFFLINE_CHPASS:
             ret = user_info_offline_chpass(pamh);
             break;
+        case SSS_PAM_USER_INFO_OTP_CHPASS:
+            ret = user_info_otp_chpass(pamh);
+            break;
         case SSS_PAM_USER_INFO_CHPASS_ERROR:
             ret = user_info_chpass_error(pamh, buflen, buf);
             break;