diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-18 16:48:11 +0100 |
---|---|---|
committer | Sumit Bose <sbose@redhat.com> | 2014-03-26 09:56:23 +0100 |
commit | 3983d81f461a4f17736a516eb595f54df4bf4336 (patch) | |
tree | dda3d53fe7d5826878e3e07246cea191c4fa0a8d /src/sss_client/pam_sss.c | |
parent | 6bbff437dcea7e56d71cf119d1391be7264dfaf0 (diff) | |
download | sssd-3983d81f461a4f17736a516eb595f54df4bf4336.tar.gz sssd-3983d81f461a4f17736a516eb595f54df4bf4336.tar.xz sssd-3983d81f461a4f17736a516eb595f54df4bf4336.zip |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/sss_client/pam_sss.c')
-rw-r--r-- | src/sss_client/pam_sss.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 32558fac9..ddf4ded7c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -763,6 +763,22 @@ static int user_info_offline_chpass(pam_handle_t *pamh) return PAM_SUCCESS; } +static int user_info_otp_chpass(pam_handle_t *pamh) +{ + int ret; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("After changing the OTP password, you need to " + "log out and back in order to acquire a ticket"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen, uint8_t *buf) { @@ -848,6 +864,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, case SSS_PAM_USER_INFO_OFFLINE_CHPASS: ret = user_info_offline_chpass(pamh); break; + case SSS_PAM_USER_INFO_OTP_CHPASS: + ret = user_info_otp_chpass(pamh); + break; case SSS_PAM_USER_INFO_CHPASS_ERROR: ret = user_info_chpass_error(pamh, buflen, buf); break; |