PAM: only allow missing user name for certificate authentication

Resolves:
https://fedorahosted.org/sssd/ticket/2811

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

1 files changed, 9 insertions, 3 deletions

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 27dddcf43..2823f8133 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -957,11 +957,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p
     } else {
         /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the
          * name is determined with the help of a certificate */
-        if (pd->cmd == SSS_PAM_PREAUTH) {
+        if (pd->cmd == SSS_PAM_PREAUTH
+                && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx,
+                                                    struct pam_ctx), pd)) {
             ret = EOK;
         } else {
             DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n");
-            ret = EINVAL;
+            ret = ERR_NO_CREDS;
             goto done;
         }
     }
@@ -1104,7 +1106,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
         }
         goto done;
     } else if (ret != EOK) {
-        ret = EINVAL;
         goto done;
     }
 
@@ -1610,6 +1611,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret)
         pam_reply(preq);
         break;
 
+    case ERR_NO_CREDS:
+        preq->pd->pam_status = PAM_CRED_INSUFFICIENT;
+        pam_reply(preq);
+        break;
+
     default:
         preq->pd->pam_status = PAM_SYSTEM_ERR;
         pam_reply(preq);