LDAP/proxy: tell frontend that Smartcard auth is not supported

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Sumit Bose <sbose@redhat.com> 2017-01-25 20:29:43 +0100
committer: Jakub Hrozek <jhrozek@redhat.com> 2017-02-23 10:15:01 +0100
commit: f70d946f8cde55b6bdc09345e22849842bca4387 (patch)
tree: 6a513142717d7b2b388e3552bb10d1e92696144f /src/providers
parent: d4757440418c7b73bbecec7e40baf6dfe8cc9460 (diff)
download: sssd-f70d946f8cde55b6bdc09345e22849842bca4387.tar.gz
sssd-f70d946f8cde55b6bdc09345e22849842bca4387.tar.xz
sssd-f70d946f8cde55b6bdc09345e22849842bca4387.zip
2 files changed, 18 insertions, 1 deletions
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index 00d38284e..00ddd889b 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -645,7 +645,13 @@ static struct tevent_req *auth_send(TALLOC_CTX *memctx,
 
     /* The token must be a password token */
     if (sss_authtok_get_type(authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-        tevent_req_error(req, ERR_AUTH_FAILED);
+        if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN
+            || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+            /* Tell frontend that we do not support Smartcard authentication */
+            tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED);
+        } else {
+            tevent_req_error(req, ERR_AUTH_FAILED);
+        }
         return tevent_req_post(req, ev);
     }
 
@@ -1028,6 +1034,9 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq)
         state->pd->account_locked = true;
         state->pd->pam_status = PAM_PERM_DENIED;
         break;
+    case ERR_SC_AUTH_NOT_SUPPORTED:
+        state->pd->pam_status = PAM_BAD_ITEM;
+        break;
     default:
         state->pd->pam_status = PAM_SYSTEM_ERR;
         break;
diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c
index 2b3510c38..e53b38e66 100644
--- a/src/providers/proxy/proxy_auth.c
+++ b/src/providers/proxy/proxy_auth.c
@@ -737,6 +737,14 @@ proxy_pam_handler_send(TALLOC_CTX *mem_ctx,
     state->auth_ctx = proxy_auth_ctx;
     state->be_ctx = params->be_ctx;
 
+    /* Tell frontend that we do not support Smartcard authentication */
+    if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN
+            || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) {
+        pd->pam_status = PAM_BAD_ITEM;
+        goto immediately;
+    }
+
+
     switch (pd->cmd) {
     case SSS_PAM_AUTHENTICATE:
     case SSS_PAM_CHAUTHTOK:
author	Sumit Bose <sbose@redhat.com>	2017-01-25 20:29:43 +0100
committer	Jakub Hrozek <jhrozek@redhat.com>	2017-02-23 10:15:01 +0100
commit	f70d946f8cde55b6bdc09345e22849842bca4387 (patch)
tree	6a513142717d7b2b388e3552bb10d1e92696144f /src/providers
parent	d4757440418c7b73bbecec7e40baf6dfe8cc9460 (diff)
download	sssd-f70d946f8cde55b6bdc09345e22849842bca4387.tar.gz sssd-f70d946f8cde55b6bdc09345e22849842bca4387.tar.xz sssd-f70d946f8cde55b6bdc09345e22849842bca4387.zip