diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-18 16:48:11 +0100 |
---|---|---|
committer | Sumit Bose <sbose@redhat.com> | 2014-03-26 11:24:03 +0100 |
commit | 1c1693ee1a74f27caaef416d9dce5c14b0ad53f9 (patch) | |
tree | 257a924f87f5c3694348bbd4544ea6a7f2afa5f7 /src/sss_client | |
parent | cf13b90a3976158fca70523815ad934f177d424b (diff) | |
download | sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.tar.gz sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.tar.xz sssd-1c1693ee1a74f27caaef416d9dce5c14b0ad53f9.zip |
KRB5: Do not attempt to get a TGT after a password change using OTP
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'src/sss_client')
-rw-r--r-- | src/sss_client/pam_sss.c | 19 | ||||
-rw-r--r-- | src/sss_client/sss_cli.h | 3 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 4ff38f299..e629fc19b 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -771,6 +771,22 @@ static int user_info_offline_chpass(pam_handle_t *pamh) return PAM_SUCCESS; } +static int user_info_otp_chpass(pam_handle_t *pamh) +{ + int ret; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("After changing the OTP password, you need to " + "log out and back in order to acquire a ticket"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen, uint8_t *buf) { @@ -856,6 +872,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, case SSS_PAM_USER_INFO_OFFLINE_CHPASS: ret = user_info_offline_chpass(pamh); break; + case SSS_PAM_USER_INFO_OTP_CHPASS: + ret = user_info_otp_chpass(pamh); + break; case SSS_PAM_USER_INFO_CHPASS_ERROR: ret = user_info_chpass_error(pamh, buflen, buf); break; diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 285a2979a..16a08e186 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -451,6 +451,9 @@ enum user_info_type { * possible to change the password while * the system is offline. This message * is generated by the PAM responder. */ + SSS_PAM_USER_INFO_OTP_CHPASS, /**< Tell the user that he needs to kinit + * or login and logout to get a TGT after + * an OTP password change */ SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change * failed and optionally give a reason. * @param Size of the message as unsigned |