From 78027feeb56d6fe216f699be86a4716aaef3f628 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 26 May 2016 13:20:59 +0200
Subject: PAM/KRB5: optional otp and password prompting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Depending on the available Kerberos pre-authentication methods pam_sss
will prompt the user for a password, 2 authentication factors or both.

Resolves https://fedorahosted.org/sssd/ticket/2988

Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/sss_client/pam_message.h |  2 ++
 src/sss_client/pam_sss.c     | 14 ++++++++++++--
 src/sss_client/sss_cli.h     |  5 +++++
 3 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'src/sss_client')

diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
index f0a7a076c..34889e074 100644
--- a/src/sss_client/pam_message.h
+++ b/src/sss_client/pam_message.h
@@ -25,6 +25,7 @@
 
 #include <unistd.h>
 #include <stdint.h>
+#include <stdbool.h>
 
 #include "sss_client/sss_cli.h"
 
@@ -56,6 +57,7 @@ struct pam_items {
     char *otp_token_id;
     char *otp_challenge;
     char *first_factor;
+    bool password_prompting;
 
     char *cert_user;
     char *token_name;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 1ba02ad0e..fdb9c9076 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1014,6 +1014,10 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
                 D(("cert user: [%s] token name: [%s]", pi->cert_user,
                                                        pi->token_name));
                 break;
+            case SSS_PASSWORD_PROMPTING:
+                D(("Password prompting available."));
+                pi->password_prompting = true;
+                break;
             default:
                 D(("Unknown response type [%d]", type));
         }
@@ -1102,6 +1106,7 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
     pi->otp_vendor = NULL;
     pi->otp_token_id = NULL;
     pi->otp_challenge = NULL;
+    pi->password_prompting = false;
 
     pi->cert_user = NULL;
     pi->token_name = NULL;
@@ -1571,8 +1576,13 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         if (flags & FLAGS_USE_2FA
                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
                         && pi->otp_challenge != NULL)) {
-            ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                             _("Second Factor: "));
+            if (pi->password_prompting) {
+                ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                 _("Second Factor (optional): "));
+            } else {
+                ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                 _("Second Factor: "));
+            }
         } else if (pi->cert_user != NULL) {
             ret = prompt_sc_pin(pamh, pi);
         } else {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 17d8e4503..b6610bc6d 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -426,6 +426,11 @@ enum response_type {
     SSS_OTP,             /**< Indicates that the autotok was a OTP, so don't
                           * cache it. There is no message.
                           * @param None. */
+    SSS_PASSWORD_PROMPTING, /**< Indicates that password prompting is possible.
+                             * This might be used together with
+                             * SSS_PAM_OTP_INFO to determine the type of
+                             * prompting. There is no message.
+                             * @param None. */
 };
 
 /**
-- 
cgit