summaryrefslogtreecommitdiffstats
path: root/src/sss_client/pam_sss.c
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-02-22 09:10:32 +0100
committerStephen Gallagher <sgallagh@redhat.com>2010-02-23 16:16:24 -0500
commit7343ee3d775303845e2528c676c59ef3582d6b27 (patch)
tree430a3aff0b029462db53a40272811b3733bbe7b7 /src/sss_client/pam_sss.c
parent94cafd6f5b63aac3ad084d14fa3be24213374021 (diff)
downloadsssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.gz
sssd-7343ee3d775303845e2528c676c59ef3582d6b27.tar.xz
sssd-7343ee3d775303845e2528c676c59ef3582d6b27.zip
Handle expired passwords like other PAM modules
So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
Diffstat (limited to 'src/sss_client/pam_sss.c')
-rw-r--r--src/sss_client/pam_sss.c49
1 files changed, 31 insertions, 18 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index a13563d36..010ca4ef6 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -46,6 +46,8 @@
#define FLAGS_FORWARD_PASS (1 << 1)
#define FLAGS_USE_AUTHTOK (1 << 2)
+#define PWEXP_FLAG "pam_sss:password_expired_flag"
+
struct pam_items {
const char* pam_service;
const char* pam_user;
@@ -101,6 +103,11 @@ static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) {
va_end(ap);
}
+static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
+{
+ free(ptr);
+ ptr = NULL;
+}
static size_t add_authtok_item(enum pam_item_type type,
enum sss_authtok_type authtok_type,
@@ -847,13 +854,13 @@ done:
return pam_status;
}
-static int prompt_password(pam_handle_t *pamh, struct pam_items *pi)
+static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
+ const char *prompt)
{
int ret;
char *answer = NULL;
- ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, _("Password: "),
- NULL, &answer);
+ ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, NULL, &answer);
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return ret;
@@ -943,7 +950,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
}
pi->pam_authtok_size = strlen(pi->pam_authtok);
} else {
- ret = prompt_password(pamh, pi);
+ ret = prompt_password(pamh, pi, _("Password: "));
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));
return ret;
@@ -973,7 +980,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) {
- ret = prompt_password(pamh, pi);
+ ret = prompt_password(pamh, pi, _("Current Password: "));
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));
return ret;
@@ -1040,6 +1047,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
int ret;
struct pam_items pi;
uint32_t flags = 0;
+ int *exp_data;
bindtextdomain(PACKAGE, LOCALEDIR);
@@ -1053,7 +1061,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
return ret;
}
-
switch(task) {
case SSS_PAM_AUTHENTICATE:
ret = get_authtok_for_authentication(pamh, &pi, flags);
@@ -1086,24 +1093,30 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = send_and_receive(pamh, &pi, task);
- if (ret == PAM_AUTHTOK_EXPIRED && task == SSS_PAM_AUTHENTICATE) {
+/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
+ * authentication, see sss_cli.h for details */
+ if (ret == PAM_NEW_AUTHTOK_REQD && task == SSS_PAM_AUTHENTICATE) {
D(("Authtoken expired, trying to change it"));
- ret = do_pam_conversation(pamh, PAM_ERROR_MSG,
- _("Password has expired."), NULL, NULL);
- if (ret != PAM_SUCCESS) {
- D(("do_pam_conversation failed."));
- return PAM_SYSTEM_ERR;
- }
- pi.pamstack_oldauthtok = pi.pam_authtok;
- ret = get_authtok_for_password_change(pamh, &pi, flags, pam_flags);
+ exp_data = malloc(sizeof(int));
+ if (exp_data == NULL) {
+ D(("malloc failed."));
+ return PAM_BUF_ERR;
+ }
+ *exp_data = 1;
+ ret = pam_set_data(pamh, PWEXP_FLAG, exp_data, free_exp_data);
if (ret != PAM_SUCCESS) {
- D(("failed to get tokens for password change: %s",
- pam_strerror(pamh, ret)));
+ D(("pam_set_data failed."));
return ret;
}
- ret = send_and_receive(pamh, &pi, SSS_PAM_CHAUTHTOK);
+ return PAM_SUCCESS;
+ }
+
+ if (ret == PAM_SUCCESS && task == SSS_PAM_ACCT_MGMT &&
+ pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) ==
+ PAM_SUCCESS) {
+ return PAM_NEW_AUTHTOK_REQD;
}
overwrite_and_free_authtoks(&pi);