diff options
author | Sumit Bose <sbose@redhat.com> | 2015-03-24 15:53:17 +0100 |
---|---|---|
committer | Sumit Bose <sbose@redhat.com> | 2015-05-08 09:14:20 +0200 |
commit | c5ae04b2da970a3991f21173acae3e892198ce0c (patch) | |
tree | 38174ef6e4e32707df08be9daae134aa7293faf8 /src/providers/krb5 | |
parent | 55b7fdd837a780ab0f71cbfaa2403f4626993922 (diff) | |
download | sssd-c5ae04b2da970a3991f21173acae3e892198ce0c.tar.gz sssd-c5ae04b2da970a3991f21173acae3e892198ce0c.tar.xz sssd-c5ae04b2da970a3991f21173acae3e892198ce0c.zip |
krb5: save hash of the first authentication factor to the cache
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers/krb5')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 651a92017..b003a8a00 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -265,6 +265,9 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, struct pam_data *pd) { const char *password = NULL; + const char *fa2; + size_t password_len; + size_t fa2_len = 0; int ret = EOK; switch(pd->cmd) { @@ -276,7 +279,20 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, break; case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: - ret = sss_authtok_get_password(pd->authtok, &password, NULL); + if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_2FA) { + ret = sss_authtok_get_2fa(pd->authtok, &password, &password_len, + &fa2, &fa2_len); + if (ret == EOK && password_len < + domain->cache_credentials_min_ff_length) { + DEBUG(SSSDBG_FATAL_FAILURE, + "First factor is too short to be cache, " + "minimum length is [%u].\n", + domain->cache_credentials_min_ff_length); + ret = EINVAL; + } + } else { + ret = sss_authtok_get_password(pd->authtok, &password, NULL); + } break; case SSS_PAM_CHAUTHTOK: ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); @@ -302,7 +318,8 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, return; } - ret = sysdb_cache_password(domain, pd->user, password); + ret = sysdb_cache_password_ex(domain, pd->user, password, + sss_authtok_get_type(pd->authtok), fa2_len); if (ret) { DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password, offline auth may not work." @@ -1018,7 +1035,10 @@ static void krb5_auth_done(struct tevent_req *subreq) goto done; } - if (state->be_ctx->domain->cache_credentials == TRUE && !res->otp) { + if (state->be_ctx->domain->cache_credentials == TRUE + && (!res->otp + || (res->otp && sss_authtok_get_type(pd->authtok) == + SSS_AUTHTOK_TYPE_2FA))) { krb5_auth_store_creds(state->domain, pd); } |