From 2368a0fc19bcd56581eccd8397289e4513a383a5 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 20 Oct 2014 22:21:25 +0200 Subject: PAM: Remove authtok from PAM stack with OTP We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum --- src/providers/krb5/krb5_auth.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/providers') diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index f539d5068..c96b7aee9 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq) krb5_auth_store_creds(state->domain, pd); } + if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) { + uint32_t otp_flag = 1; + ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t), + (const uint8_t *) &otp_flag); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_add_response failed: %d (%s).\n", + ret, sss_strerror(ret)); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_OK; + goto done; + } + } + state->pam_status = PAM_SUCCESS; state->dp_err = DP_ERR_OK; ret = EOK; -- cgit