diff options
author | Sumit Bose <sbose@redhat.com> | 2017-02-21 14:41:37 +0100 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-03-02 12:07:48 +0100 |
commit | 6dd271fdcf6ceb0afd77e703c98897672da3671a (patch) | |
tree | 762051e5e5274dd43ca68cba4a45161576e05268 /src/sss_client | |
parent | bd5e09bad2b0ac8a7ca78f45d90c8ebb903efaa3 (diff) | |
download | sssd-6dd271fdcf6ceb0afd77e703c98897672da3671a.tar.gz sssd-6dd271fdcf6ceb0afd77e703c98897672da3671a.tar.xz sssd-6dd271fdcf6ceb0afd77e703c98897672da3671a.zip |
pam: use authtok from PAM stack if available
With this patch the behavior of pam_sss is slightly changed to be more
similar to the behavior of other PAM modules. Currently pam_sss expects
that there is a authtok (password) on the PAM stack if the
'use_first_pass' option was used. Without the option pam_sss
unconditionally prompts for credentials.
With this patch pam_sss will use an authtok from the PAM stack even if
'use_first_pass' is not set but it will assume that it is a password. To
return to the previous behavior the new 'prompt_always' can be used.
Resolves:
https://pagure.io/SSSD/sssd/issue/2984
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/sss_client')
-rw-r--r-- | src/sss_client/pam_sss.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index a3d7a8a23..db0dcb9de 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -54,6 +54,7 @@ #define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) #define FLAGS_USE_2FA (1 << 5) #define FLAGS_ALLOW_MISSING_NAME (1 << 6) +#define FLAGS_PROMPT_ALWAYS (1 << 7) #define PWEXP_FLAG "pam_sss:password_expired_flag" #define FD_DESTRUCTOR "pam_sss:fd_destructor" @@ -1641,6 +1642,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, *flags |= FLAGS_USE_2FA; } else if (strcmp(*argv, "allow_missing_name") == 0) { *flags |= FLAGS_ALLOW_MISSING_NAME; + } else if (strcmp(*argv, "prompt_always") == 0) { + *flags |= FLAGS_PROMPT_ALWAYS; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -1655,7 +1658,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, { int ret; - if (flags & FLAGS_USE_FIRST_PASS) { + if ((flags & FLAGS_USE_FIRST_PASS) + || ( pi->pamstack_authtok != NULL + && *(pi->pamstack_authtok) != '\0' + && !(flags & FLAGS_PROMPT_ALWAYS))) { pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; pi->pam_authtok = strdup(pi->pamstack_authtok); if (pi->pam_authtok == NULL) { @@ -1888,10 +1894,12 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, /* * Only do preauth if * - FLAGS_USE_FIRST_PASS is not set - * - no password is on the stack + * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set * - preauth indicator file exists. */ - if ( !(flags & FLAGS_USE_FIRST_PASS) && pi.pam_authtok == NULL + if ( !(flags & FLAGS_USE_FIRST_PASS) + && (pi.pam_authtok == NULL + || (flags & FLAGS_PROMPT_ALWAYS)) && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, quiet_mode); |