diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-18 16:48:11 +0100 |
|---|---|---|
| committer | Sumit Bose <sbose@redhat.com> | 2014-03-26 09:56:23 +0100 |
| commit | 3983d81f461a4f17736a516eb595f54df4bf4336 (patch) | |
| tree | dda3d53fe7d5826878e3e07246cea191c4fa0a8d /src/sss_client | |
| parent | 6bbff437dcea7e56d71cf119d1391be7264dfaf0 (diff) | |
| download | sssd-3983d81f461a4f17736a516eb595f54df4bf4336.tar.gz sssd-3983d81f461a4f17736a516eb595f54df4bf4336.tar.xz sssd-3983d81f461a4f17736a516eb595f54df4bf4336.zip | |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/sss_client')
| -rw-r--r-- | src/sss_client/pam_sss.c | 19 | ||||
| -rw-r--r-- | src/sss_client/sss_cli.h | 3 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 32558fac9..ddf4ded7c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -763,6 +763,22 @@ static int user_info_offline_chpass(pam_handle_t *pamh) return PAM_SUCCESS; } +static int user_info_otp_chpass(pam_handle_t *pamh) +{ + int ret; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("After changing the OTP password, you need to " + "log out and back in order to acquire a ticket"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen, uint8_t *buf) { @@ -848,6 +864,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, case SSS_PAM_USER_INFO_OFFLINE_CHPASS: ret = user_info_offline_chpass(pamh); break; + case SSS_PAM_USER_INFO_OTP_CHPASS: + ret = user_info_otp_chpass(pamh); + break; case SSS_PAM_USER_INFO_CHPASS_ERROR: ret = user_info_chpass_error(pamh, buflen, buf); break; diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 285a2979a..16a08e186 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -451,6 +451,9 @@ enum user_info_type { * possible to change the password while * the system is offline. This message * is generated by the PAM responder. */ + SSS_PAM_USER_INFO_OTP_CHPASS, /**< Tell the user that he needs to kinit + * or login and logout to get a TGT after + * an OTP password change */ SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change * failed and optionally give a reason. * @param Size of the message as unsigned |