From 973bebfc2cb7e77b4fb3687da5c832516543b479 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 16 Dec 2009 12:53:55 +0100
Subject: Handle chauthtok with PAM_PRELIM_CHECK separately

If pam_sm_chauthtok is called with the flag PAM_PRELIM_CHECK set we
generate a separate call to the sssd to validate the old password before
asking for a new password and sending the change password request.
---
 server/providers/krb5/krb5_auth.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'server/providers/krb5/krb5_auth.c')

diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c
index 4581278de..73018413c 100644
--- a/server/providers/krb5/krb5_auth.c
+++ b/server/providers/krb5/krb5_auth.c
@@ -398,6 +398,7 @@ static struct krb5_ctx *get_krb5_ctx(struct be_req *be_req)
                                        struct krb5_ctx);
             break;
         case SSS_PAM_CHAUTHTOK:
+        case SSS_PAM_CHAUTHTOK_PRELIM:
             return talloc_get_type(be_req->be_ctx->bet_info[BET_CHPASS].pvt_bet_data,
                                        struct krb5_ctx);
             break;
@@ -685,14 +686,16 @@ void krb5_pam_handler(struct be_req *be_req)
 
     pd = talloc_get_type(be_req->req_data, struct pam_data);
 
-    if (pd->cmd != SSS_PAM_AUTHENTICATE && pd->cmd != SSS_PAM_CHAUTHTOK) {
+    if (pd->cmd != SSS_PAM_AUTHENTICATE && pd->cmd != SSS_PAM_CHAUTHTOK &&
+        pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) {
         DEBUG(4, ("krb5 does not handles pam task %d.\n", pd->cmd));
         pam_status = PAM_SUCCESS;
         dp_err = DP_ERR_OK;
         goto done;
     }
 
-    if (be_is_offline(be_req->be_ctx) && pd->cmd == SSS_PAM_CHAUTHTOK) {
+    if (be_is_offline(be_req->be_ctx) &&
+        (pd->cmd == SSS_PAM_CHAUTHTOK || pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) {
         DEBUG(9, ("Password changes are not possible while offline.\n"));
         pam_status = PAM_AUTHINFO_UNAVAIL;
         dp_err = DP_ERR_OFFLINE;
@@ -958,6 +961,12 @@ static void krb5_child_done(struct tevent_req *req)
         pd->pam_status = *msg_status;
     }
 
+    if (*msg_status == PAM_SUCCESS && pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+        pam_status = PAM_SUCCESS;
+        dp_err = DP_ERR_OK;
+        goto done;
+    }
+
     pref_len = strlen(CCACHE_ENV_NAME)+1;
     if (*msg_len > pref_len &&
         strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0) {
@@ -1047,6 +1056,7 @@ static void krb5_save_ccname_done(struct tevent_req *req)
 
         switch(pd->cmd) {
             case SSS_PAM_AUTHENTICATE:
+            case SSS_PAM_CHAUTHTOK_PRELIM:
                 password = talloc_size(be_req, pd->authtok_size + 1);
                 if (password != NULL) {
                     memcpy(password, pd->authtok, pd->authtok_size);
-- 
cgit