diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/external/krb5.m4 | 1 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 2 | ||||
-rw-r--r-- | src/providers/krb5/krb5_auth.h | 1 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child.c | 223 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 7 | ||||
-rw-r--r-- | src/sss_client/sss_cli.h | 3 |
6 files changed, 236 insertions, 1 deletions
diff --git a/src/external/krb5.m4 b/src/external/krb5.m4 index f1679a151..56c64842f 100644 --- a/src/external/krb5.m4 +++ b/src/external/krb5.m4 @@ -50,6 +50,7 @@ AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \ krb5_get_init_creds_opt_set_fast_ccache_name \ krb5_get_init_creds_opt_set_fast_flags \ krb5_get_init_creds_opt_set_canonicalize \ + krb5_get_init_creds_opt_set_responder \ krb5_unparse_name_flags \ krb5_get_init_creds_opt_set_change_password_prompt \ krb5_free_keytab_entry_contents \ diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index e41e1a1e8..d3e11a2db 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1107,7 +1107,7 @@ static void krb5_auth_done(struct tevent_req *subreq) goto done; } - if (state->be_ctx->domain->cache_credentials == TRUE) { + if (state->be_ctx->domain->cache_credentials == TRUE && !res->otp) { krb5_auth_store_creds(state->sysdb, state->domain, pd); } diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h index 078a31d8e..cf290ca05 100644 --- a/src/providers/krb5/krb5_auth.h +++ b/src/providers/krb5/krb5_auth.h @@ -81,6 +81,7 @@ struct krb5_child_response { struct tgt_times tgtt; char *ccname; char *correct_upn; + bool otp; }; errno_t diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 9cc0f5548..656853335 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -146,6 +146,220 @@ static void sss_krb5_expire_callback_func(krb5_context context, void *data, return; } +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER +/* + * TODO: These features generally would requires a significant refactoring + * of SSSD and MIT krb5 doesn't support them anyway. They are listed here + * simply as a reminder of things that might become future feature potential. + * + * 1. tokeninfo selection + * 2. challenge + * 3. discreet token/pin prompting + * 4. interactive otp format correction + * 5. nextOTP + * + */ +typedef int (*checker)(int c); + +static inline checker pick_checker(int format) +{ + switch (format) { + case KRB5_RESPONDER_OTP_FORMAT_DECIMAL: + return isdigit; + case KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL: + return isxdigit; + case KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC: + return isalnum; + } + + return NULL; +} + +static int token_pin_destructor(char *mem) +{ + safezero(mem, strlen(mem)); + return 0; +} + +static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, + const krb5_responder_otp_tokeninfo *ti, + const char *pwd, size_t len, + char **out_token, char **out_pin) +{ + char *token = NULL, *pin = NULL; + checker check = NULL; + int i; + + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) { + return ENOTSUP; + } + + if (ti->challenge != NULL) { + return ENOTSUP; + } + + /* This is a non-sensical value. */ + if (ti->length == 0) { + return EPROTO; + } + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) { + /* ASSUMPTION: authtok has one of the following formats: + * 1. TokenValue + * 2. PIN+TokenValue + */ + token = talloc_strndup(mem_ctx, pwd, len); + if (token == NULL) { + return ENOMEM; + } + talloc_set_destructor(token, token_pin_destructor); + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) { + /* If the server desires a separate pin, we will split it. + * ASSUMPTION: Format of authtok is PIN+TokenValue. */ + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) { + if (ti->length < 1) { + talloc_free(token); + return ENOTSUP; + } + + if (ti->length >= len) { + talloc_free(token); + return EMSGSIZE; + } + + /* Copy the PIN from the front of the value. */ + pin = talloc_strndup(NULL, pwd, len - ti->length); + if (pin == NULL) { + talloc_free(token); + return ENOMEM; + } + talloc_set_destructor(pin, token_pin_destructor); + + /* Remove the PIN from the front of the token value. */ + memmove(token, token + len - ti->length, ti->length + 1); + + check = pick_checker(ti->format); + } else { + if (ti->length > 0 && ti->length > len) { + talloc_free(token); + return EMSGSIZE; + } + } + } else { + if (ti->length > 0 && ti->length != len) { + talloc_free(token); + return EMSGSIZE; + } + + check = pick_checker(ti->format); + } + } else { + pin = talloc_strndup(mem_ctx, pwd, len); + if (pin == NULL) { + return ENOMEM; + } + talloc_set_destructor(pin, token_pin_destructor); + } + + /* If check is set, we need to verify the contents of the token. */ + for (i = 0; check != NULL && token[i] != '\0'; i++) { + if (!check(token[i])) { + talloc_free(token); + talloc_free(pin); + return EBADMSG; + } + } + + *out_token = token; + *out_pin = pin; + return 0; +} + +static krb5_error_code answer_otp(krb5_context ctx, + struct krb5_req *kr, + krb5_responder_context rctx) +{ + krb5_responder_otp_challenge *chl; + char *token = NULL, *pin = NULL; + const char *pwd = NULL; + krb5_error_code ret; + size_t i, len; + + ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl); + if (ret != EOK || chl == NULL) { + /* Either an error, or nothing to do. */ + return ret; + } + + if (chl->tokeninfo == NULL || chl->tokeninfo[0] == NULL) { + /* No tokeninfos? Absurd! */ + ret = EINVAL; + goto done; + } + + /* Validate our assumptions about the contents of authtok. */ + ret = sss_authtok_get_password(&kr->pd->authtok, &pwd, &len); + if (ret != EOK) + goto done; + + /* Find the first supported tokeninfo which matches our authtoken. */ + for (i = 0; chl->tokeninfo[i] != NULL; i++) { + ret = tokeninfo_matches(kr, chl->tokeninfo[i], pwd, len, &token, &pin); + if (ret == EOK) { + break; + } + + switch (ret) { + case EBADMSG: + case EMSGSIZE: + case ENOTSUP: + case EPROTO: + break; + default: + goto done; + } + } + if (chl->tokeninfo[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("No tokeninfos found which match our credentials.\n")); + ret = EOK; + goto done; + } + + if (chl->tokeninfo[i]->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) { + /* Don't let SSSD cache the OTP authtok since it is single-use. */ + ret = pam_add_response(kr->pd, SSS_OTP, 0, NULL); + if (ret != EOK) { + DEBUG(1, ("pam_add_response failed.\n")); + goto done; + } + } + + /* Respond with the appropriate answer. */ + ret = krb5_responder_otp_set_answer(ctx, rctx, i, token, pin); +done: + talloc_free(token); + talloc_free(pin); + krb5_responder_otp_challenge_free(ctx, rctx, chl); + return ret; +} + +static krb5_error_code sss_krb5_responder(krb5_context ctx, + void *data, + krb5_responder_context rctx) +{ + struct krb5_req *kr = talloc_get_type(data, struct krb5_req); + + if (kr == NULL) { + return EINVAL; + } + + return answer_otp(ctx, kr, rctx); +} +#endif + static krb5_error_code sss_krb5_prompter(krb5_context context, void *data, const char *name, const char *banner, int num_prompts, krb5_prompt prompts[]) @@ -1746,6 +1960,15 @@ static int k5c_setup(struct krb5_req *kr, uint32_t offline) return kerr; } +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER + kerr = krb5_get_init_creds_opt_set_responder(kr->ctx, kr->options, + sss_krb5_responder, kr); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } +#endif + #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT /* A prompter is used to catch messages about when a password will * expired. The library shall not use the prompter to ask for a new password diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 5adbcf700..99922b410 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -482,6 +482,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, struct krb5_child_response *res; const char *upn = NULL; size_t upn_len; + bool otp = false; if ((size_t) len < sizeof(int32_t)) { DEBUG(SSSDBG_CRIT_FAILURE, ("message too short.\n")); @@ -563,6 +564,11 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, } } + if (msg_type == SSS_OTP) { + otp = true; + skip = true; + } + if (!skip) { ret = pam_add_response(pd, msg_type, msg_len, &buf[p]); if (ret != EOK) { @@ -583,6 +589,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, res = talloc_zero(mem_ctx, struct krb5_child_response); if (!res) return ENOMEM; + res->otp = otp; res->msg_status = msg_status; memcpy(&res->tgtt, &tgtt, sizeof(tgtt)); diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 372bcee59..b0d7b8212 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -368,6 +368,9 @@ enum response_type { * the user.This should only be used in the case where * it is not possile to use SSS_PAM_USER_INFO. * @param A zero terminated string. */ + SSS_OTP, /**< Indicates that the autotok was a OTP, so don't + * cache it. There is no message. + * @param None. */ }; /** |