From d85be8ad409c9efa9cf9e9ab6f9c2d911b01e5c1 Mon Sep 17 00:00:00 2001 From: Michal Židek Date: Mon, 7 Sep 2015 15:19:53 +0200 Subject: PAM: Make p11_child timeout configurable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník Reviewed-by: Pavel Reichl --- Makefile.am | 1 - src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 12 +++++++ src/responder/pam/pamsrv_cmd.c | 63 ++++++++++++++++++++++-------------- 6 files changed, 53 insertions(+), 26 deletions(-) diff --git a/Makefile.am b/Makefile.am index 2d704fd39..0c2e60e4f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1898,7 +1898,6 @@ pam_srv_tests_SOURCES = \ pam_srv_tests_CFLAGS = \ -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ $(AM_CFLAGS) \ - -DSSS_P11_CHILD_TIMEOUT=30 \ $(NULL) pam_srv_tests_LDFLAGS = \ -Wl,-wrap,sss_packet_get_body \ diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index eca3d4475..37b5fd7c7 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -118,6 +118,7 @@ #define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message" #define CONFDB_PAM_CERT_AUTH "pam_cert_auth" #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path" +#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index cb9c368b9..038de16d5 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -89,6 +89,7 @@ option_strings = { 'pam_trusted_users' : _('List of trusted uids or user\'s name'), 'pam_public_domains' : _('List of domains accessible even for untrusted users.'), 'pam_account_expired_message' : _('Message printed when user account is expired.'), + 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index f28054860..72abb8b3f 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -59,6 +59,7 @@ get_domains_timeout = int, None, false pam_trusted_users = str, None, false pam_public_domains = str, None, false pam_account_expired_message = str, None, false +p11_child_timeout = int, None, false [sudo] # sudo service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index b858347f8..9701f2a15 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -988,6 +988,18 @@ pam_account_expired_message = Account expired, please call help desk. + + p11_child_timeout (integer) + + + How many seconds will pam_sss wait for + p11_child to finish. + + + Default: 10 + + + diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index aa5c20906..27dddcf43 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -43,11 +43,6 @@ enum pam_verbosity { #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT -/* TODO: Should we make this configurable? */ -#ifndef SSS_P11_CHILD_TIMEOUT -#define SSS_P11_CHILD_TIMEOUT 10 -#endif - static errno_t pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain, const char *username); @@ -1027,6 +1022,39 @@ static bool is_domain_public(char *name, return false; } +static errno_t check_cert(TALLOC_CTX *mctx, + struct tevent_context *ev, + struct pam_ctx *pctx, + struct pam_auth_req *preq, + struct pam_data *pd) +{ + int p11_child_timeout; + const int P11_CHILD_TIMEOUT_DEFAULT = 10; + errno_t ret; + struct tevent_req *req; + + ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_P11_CHILD_TIMEOUT, + P11_CHILD_TIMEOUT_DEFAULT, + &p11_child_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read p11_child_timeout from confdb: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd, + pctx->nss_db, p11_child_timeout, pd); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(req, pam_forwarder_cert_cb, preq); + return EAGAIN; +} + static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) { struct sss_domain_info *dom; @@ -1125,17 +1153,10 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) } } - if (may_do_cert_auth(pctx, pd)) { - req = pam_check_cert_send(cctx, cctx->ev, pctx->p11_child_debug_fd, - pctx->nss_db, SSS_P11_CHILD_TIMEOUT, pd); - if (req == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n"); - ret = ENOMEM; - } else { - tevent_req_set_callback(req, pam_forwarder_cert_cb, preq); - ret = EAGAIN; - } + if (may_do_cert_auth(pctx, pd)) { + ret = check_cert(cctx, cctx->ev, pctx, preq, pd); + /* Finish here */ goto done; } @@ -1342,16 +1363,8 @@ static void pam_forwarder_cb(struct tevent_req *req) } if (may_do_cert_auth(pctx, pd)) { - req = pam_check_cert_send(cctx, cctx->ev, pctx->p11_child_debug_fd, - pctx->nss_db, SSS_P11_CHILD_TIMEOUT, pd); - if (req == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n"); - ret = ENOMEM; - } else { - tevent_req_set_callback(req, pam_forwarder_cert_cb, preq); - ret = EAGAIN; - } - + ret = check_cert(cctx, cctx->ev, pctx, preq, pd); + /* Finish here */ goto done; } -- cgit