diff options
| author | Sumit Bose <sbose@redhat.com> | 2017-03-16 20:43:08 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-29 15:05:02 +0200 |
| commit | 1c551b1373799643f3e9ba4f696d21b8fc57dafd (patch) | |
| tree | b56619c1e1a313a17c984a704d03b56c9aa58b98 | |
| parent | 1b5d6b1afc9c3dc696b7b45f2d73b2634f42800a (diff) | |
| download | sssd-1c551b1373799643f3e9ba4f696d21b8fc57dafd.tar.gz sssd-1c551b1373799643f3e9ba4f696d21b8fc57dafd.tar.xz sssd-1c551b1373799643f3e9ba4f696d21b8fc57dafd.zip | |
krb5: return to responder that pkinit is not available
If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.
Resolves https://pagure.io/SSSD/sssd/issue/3343
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 777a25f2a..a4128dda6 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -42,6 +42,10 @@ #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" +#define IS_SC_AUTHTOK(tok) ( \ + sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ + || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) + enum k5c_fast_opt { K5C_FAST_NEVER, K5C_FAST_TRY, @@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, * pre-auth module is missing or no Smartcard is inserted and only * pkinit is available KRB5_PREAUTH_FAILED is returned. * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the - * frontend that local authentication might be tried. */ + * frontend that local authentication might be tried. + * Same is true if Smartcard credentials are given but only other + * authentication methods are available. */ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE && kerr == KRB5_PREAUTH_FAILED - && kr->password_prompting == false - && kr->otp == false - && kr->pkinit_prompting == false) { + && kr->pkinit_prompting == false + && (( kr->password_prompting == false + && kr->otp == false) + || ((kr->otp == true + || kr->password_prompting == true) + && IS_SC_AUTHTOK(kr->pd->authtok))) ) { return ERR_NO_AUTH_METHOD_AVAILABLE; } return kerr; |