From 6ced3a031b2c8d59fbd1572e3c8b068f24a6dae5 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 26 May 2016 13:20:59 +0200 Subject: WIP auth ind prompting --- src/providers/krb5/krb5_child.c | 58 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) (limited to 'src/providers/krb5/krb5_child.c') diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index fff6a0a0c..123907237 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -54,6 +54,7 @@ struct krb5_req { char* name; krb5_creds *creds; bool otp; + bool password_prompting; char *otp_vendor; char *otp_token_id; char *otp_challenge; @@ -586,11 +587,49 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx, krb5_responder_context rctx) { struct krb5_req *kr = talloc_get_type(data, struct krb5_req); + const char * const *question_list; + size_t c; + const char *pwd; + int ret; + krb5_error_code kerr; if (kr == NULL) { return EINVAL; } + question_list = krb5_responder_list_questions(ctx, rctx); + + if (question_list != NULL) { + for (c = 0; question_list[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "Got question [%s].\n", question_list[c]); + + if (strcmp(question_list[c], + KRB5_RESPONDER_QUESTION_PASSWORD) == 0) { + kr->password_prompting = true; + } + + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && sss_authtok_get_type(kr->pd->authtok) + == SSS_AUTHTOK_TYPE_PASSWORD) { + ret = sss_authtok_get_password(kr->pd->authtok, &pwd, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_get_password failed.\n"); + return ret; + } + + kerr = krb5_responder_set_answer(ctx, rctx, + KRB5_RESPONDER_QUESTION_PASSWORD, + pwd); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_responder_set_answer failed.\n"); + } + + return kerr; + } + } + } + return answer_otp(ctx, kr, rctx); } #endif @@ -602,6 +641,11 @@ static krb5_error_code sss_krb5_prompter(krb5_context context, void *data, int ret; struct krb5_req *kr = talloc_get_type(data, struct krb5_req); + DEBUG(SSSDBG_TRACE_ALL, + "sss_krb5_prompter name [%s] banner [%s] num_prompts [%d] EINVAL.\n", + name, banner, num_prompts); + return EINVAL; + if (num_prompts != 0) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n"); return KRB5_LIBOS_CANTREADPWD; @@ -1217,7 +1261,7 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, DEBUG(SSSDBG_TRACE_FUNC, "Attempting kinit for realm [%s]\n",realm_name); kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - discard_const(password), + NULL, sss_krb5_prompter, kr, 0, NULL, kr->options); if (kr->pd->cmd == SSS_PAM_PREAUTH) { @@ -1396,7 +1440,7 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim) DEBUG(SSSDBG_TRACE_FUNC, "Attempting kinit for realm [%s]\n",realm_name); kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - discard_const(password), + NULL, prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, kr->options); @@ -1564,6 +1608,14 @@ static errno_t tgt_req_child(struct krb5_req *kr) if (kr->otp) { kerr = k5c_attach_otp_info_msg(kr); } + + if (kr->password_prompting) { + ret = pam_add_response(kr->pd, SSS_PASSWORD_PROMPTING, 0, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + goto done; + } + } } else { if (kerr == 0) { kerr = k5c_attach_ccname_msg(kr); @@ -1589,7 +1641,7 @@ static errno_t tgt_req_child(struct krb5_req *kr) set_changepw_options(kr->options); kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, - discard_const(password), + NULL, sss_krb5_prompter, kr, 0, SSSD_KRB5_CHANGEPW_PRINCIPAL, kr->options); -- cgit