diff options
| author | Sumit Bose <sbose@redhat.com> | 2017-02-21 14:41:37 +0100 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-03-02 12:07:48 +0100 |
| commit | 6dd271fdcf6ceb0afd77e703c98897672da3671a (patch) | |
| tree | 762051e5e5274dd43ca68cba4a45161576e05268 | |
| parent | bd5e09bad2b0ac8a7ca78f45d90c8ebb903efaa3 (diff) | |
| download | sssd-6dd271fdcf6ceb0afd77e703c98897672da3671a.tar.gz sssd-6dd271fdcf6ceb0afd77e703c98897672da3671a.tar.xz sssd-6dd271fdcf6ceb0afd77e703c98897672da3671a.zip | |
pam: use authtok from PAM stack if available
With this patch the behavior of pam_sss is slightly changed to be more
similar to the behavior of other PAM modules. Currently pam_sss expects
that there is a authtok (password) on the PAM stack if the
'use_first_pass' option was used. Without the option pam_sss
unconditionally prompts for credentials.
With this patch pam_sss will use an authtok from the PAM stack even if
'use_first_pass' is not set but it will assume that it is a password. To
return to the previous behavior the new 'prompt_always' can be used.
Resolves:
https://pagure.io/SSSD/sssd/issue/2984
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
| -rw-r--r-- | src/man/pam_sss.8.xml | 18 | ||||
| -rw-r--r-- | src/sss_client/pam_sss.c | 14 |
2 files changed, 29 insertions, 3 deletions
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index 3158dfb24..d8e6a2041 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -47,6 +47,9 @@ <arg choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> + <arg choice='opt'> + <replaceable>prompt_always</replaceable> + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -182,6 +185,21 @@ auth sufficient pam_sss.so allow_missing_name </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>prompt_always</option> + </term> + <listitem> + <para> + Always prompt the user for credentials. With this + option credentials requested by other PAM modules, + typically a password, will be ignored and pam_sss will + prompt for credentials again. Based on the pre-auth + reply by SSSD pam_sss might prompt for a password, a + Smartcard PIN or other credentials. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index a3d7a8a23..db0dcb9de 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -54,6 +54,7 @@ #define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) #define FLAGS_USE_2FA (1 << 5) #define FLAGS_ALLOW_MISSING_NAME (1 << 6) +#define FLAGS_PROMPT_ALWAYS (1 << 7) #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1641,6 +1642,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, *flags |= FLAGS_USE_2FA; } else if (strcmp(*argv, "allow_missing_name") == 0) { *flags |= FLAGS_ALLOW_MISSING_NAME; + } else if (strcmp(*argv, "prompt_always") == 0) { + *flags |= FLAGS_PROMPT_ALWAYS; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -1655,7 +1658,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, { int ret; - if (flags & FLAGS_USE_FIRST_PASS) { + if ((flags & FLAGS_USE_FIRST_PASS) + || ( pi->pamstack_authtok != NULL + && *(pi->pamstack_authtok) != '\0' + && !(flags & FLAGS_PROMPT_ALWAYS))) { pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; pi->pam_authtok = strdup(pi->pamstack_authtok); if (pi->pam_authtok == NULL) { @@ -1888,10 +1894,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, /* * Only do preauth if * - FLAGS_USE_FIRST_PASS is not set - * - no password is on the stack + * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set * - preauth indicator file exists. */ - if ( !(flags & FLAGS_USE_FIRST_PASS) && pi.pam_authtok == NULL + if ( !(flags & FLAGS_USE_FIRST_PASS) + && (pi.pam_authtok == NULL + || (flags & FLAGS_PROMPT_ALWAYS)) && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, quiet_mode); |