From b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 23 Jul 2015 15:56:44 +0200
Subject: krb5: do not send SSS_OTP if two factors were used

Resolves https://fedorahosted.org/sssd/ticket/2729

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/krb5/krb5_auth.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index c94f2b26f..1c55ec3fc 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1091,7 +1091,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
         krb5_auth_store_creds(state->domain, pd);
     }
 
-    if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
+    /* The SSS_OTP message will prevent pam_sss from putting the entered
+     * password on the PAM stack for other modules to use. This is not needed
+     * when both factors were entered separately because here the first factor
+     * (long term password) can be passed to the other modules. */
+    if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE
+            && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) {
         uint32_t otp_flag = 1;
         ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
                                (const uint8_t *) &otp_flag);
-- 
cgit