summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile.am1
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml12
-rw-r--r--src/responder/pam/pamsrv_cmd.c63
6 files changed, 53 insertions, 26 deletions
diff --git a/Makefile.am b/Makefile.am
index 2d704fd39..0c2e60e4f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1898,7 +1898,6 @@ pam_srv_tests_SOURCES = \
pam_srv_tests_CFLAGS = \
-U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
$(AM_CFLAGS) \
- -DSSS_P11_CHILD_TIMEOUT=30 \
$(NULL)
pam_srv_tests_LDFLAGS = \
-Wl,-wrap,sss_packet_get_body \
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index eca3d4475..37b5fd7c7 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -118,6 +118,7 @@
#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
+#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index cb9c368b9..038de16d5 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -89,6 +89,7 @@ option_strings = {
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message' : _('Message printed when user account is expired.'),
+ 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index f28054860..72abb8b3f 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -59,6 +59,7 @@ get_domains_timeout = int, None, false
pam_trusted_users = str, None, false
pam_public_domains = str, None, false
pam_account_expired_message = str, None, false
+p11_child_timeout = int, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index b858347f8..9701f2a15 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -988,6 +988,18 @@ pam_account_expired_message = Account expired, please call help desk.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>p11_child_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds will pam_sss wait for
+ p11_child to finish.
+ </para>
+ <para>
+ Default: 10
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index aa5c20906..27dddcf43 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -43,11 +43,6 @@ enum pam_verbosity {
#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
-/* TODO: Should we make this configurable? */
-#ifndef SSS_P11_CHILD_TIMEOUT
-#define SSS_P11_CHILD_TIMEOUT 10
-#endif
-
static errno_t
pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain,
const char *username);
@@ -1027,6 +1022,39 @@ static bool is_domain_public(char *name,
return false;
}
+static errno_t check_cert(TALLOC_CTX *mctx,
+ struct tevent_context *ev,
+ struct pam_ctx *pctx,
+ struct pam_auth_req *preq,
+ struct pam_data *pd)
+{
+ int p11_child_timeout;
+ const int P11_CHILD_TIMEOUT_DEFAULT = 10;
+ errno_t ret;
+ struct tevent_req *req;
+
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_P11_CHILD_TIMEOUT,
+ P11_CHILD_TIMEOUT_DEFAULT,
+ &p11_child_timeout);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read p11_child_timeout from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
+ req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
+ pctx->nss_db, p11_child_timeout, pd);
+ if (req == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
+ return ENOMEM;
+ }
+
+ tevent_req_set_callback(req, pam_forwarder_cert_cb, preq);
+ return EAGAIN;
+}
+
static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
{
struct sss_domain_info *dom;
@@ -1125,17 +1153,10 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
}
}
- if (may_do_cert_auth(pctx, pd)) {
- req = pam_check_cert_send(cctx, cctx->ev, pctx->p11_child_debug_fd,
- pctx->nss_db, SSS_P11_CHILD_TIMEOUT, pd);
- if (req == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
- ret = ENOMEM;
- } else {
- tevent_req_set_callback(req, pam_forwarder_cert_cb, preq);
- ret = EAGAIN;
- }
+ if (may_do_cert_auth(pctx, pd)) {
+ ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
+ /* Finish here */
goto done;
}
@@ -1342,16 +1363,8 @@ static void pam_forwarder_cb(struct tevent_req *req)
}
if (may_do_cert_auth(pctx, pd)) {
- req = pam_check_cert_send(cctx, cctx->ev, pctx->p11_child_debug_fd,
- pctx->nss_db, SSS_P11_CHILD_TIMEOUT, pd);
- if (req == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
- ret = ENOMEM;
- } else {
- tevent_req_set_callback(req, pam_forwarder_cert_cb, preq);
- ret = EAGAIN;
- }
-
+ ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
+ /* Finish here */
goto done;
}