diff options
author | Sumit Bose <sbose@redhat.com> | 2015-10-01 10:10:22 +0200 |
---|---|---|
committer | Lukas Slebodnik <lslebodn@redhat.com> | 2015-10-02 12:09:55 +0200 |
commit | 2e76b32e74abedb23665808bacc73cafd1097c37 (patch) | |
tree | dba257dcd90885bb393c6f34cadc61197f0c0f9d /src/responder/pam | |
parent | e51143e3e67c70b86dd9a67cb7e802dd96f989e1 (diff) | |
download | sssd-2e76b32e74abedb23665808bacc73cafd1097c37.tar.gz sssd-2e76b32e74abedb23665808bacc73cafd1097c37.tar.xz sssd-2e76b32e74abedb23665808bacc73cafd1097c37.zip |
PAM: only allow missing user name for certificate authentication
Resolves:
https://fedorahosted.org/sssd/ticket/2811
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/responder/pam')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 27dddcf43..2823f8133 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -957,11 +957,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p } else { /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the * name is determined with the help of a certificate */ - if (pd->cmd == SSS_PAM_PREAUTH) { + if (pd->cmd == SSS_PAM_PREAUTH + && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx, + struct pam_ctx), pd)) { ret = EOK; } else { DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n"); - ret = EINVAL; + ret = ERR_NO_CREDS; goto done; } } @@ -1104,7 +1106,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) } goto done; } else if (ret != EOK) { - ret = EINVAL; goto done; } @@ -1610,6 +1611,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret) pam_reply(preq); break; + case ERR_NO_CREDS: + preq->pd->pam_status = PAM_CRED_INSUFFICIENT; + pam_reply(preq); + break; + default: preq->pd->pam_status = PAM_SYSTEM_ERR; pam_reply(preq); |