From 3983d81f461a4f17736a516eb595f54df4bf4336 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 18 Mar 2014 16:48:11 +0100 Subject: KRB5: Do not attempt to get a TGT after a password change using OTP https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy --- src/sss_client/pam_sss.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'src/sss_client/pam_sss.c') diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 32558fac9..ddf4ded7c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -763,6 +763,22 @@ static int user_info_offline_chpass(pam_handle_t *pamh) return PAM_SUCCESS; } +static int user_info_otp_chpass(pam_handle_t *pamh) +{ + int ret; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("After changing the OTP password, you need to " + "log out and back in order to acquire a ticket"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen, uint8_t *buf) { @@ -848,6 +864,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, case SSS_PAM_USER_INFO_OFFLINE_CHPASS: ret = user_info_offline_chpass(pamh); break; + case SSS_PAM_USER_INFO_OTP_CHPASS: + ret = user_info_otp_chpass(pamh); + break; case SSS_PAM_USER_INFO_CHPASS_ERROR: ret = user_info_chpass_error(pamh, buflen, buf); break; -- cgit