From 2e76b32e74abedb23665808bacc73cafd1097c37 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 1 Oct 2015 10:10:22 +0200 Subject: PAM: only allow missing user name for certificate authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník --- src/responder/pam/pamsrv_cmd.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'src/responder/pam') diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 27dddcf43..2823f8133 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -957,11 +957,13 @@ static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *p } else { /* Only SSS_PAM_PREAUTH request may have a missing name, e.g. if the * name is determined with the help of a certificate */ - if (pd->cmd == SSS_PAM_PREAUTH) { + if (pd->cmd == SSS_PAM_PREAUTH + && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx, + struct pam_ctx), pd)) { ret = EOK; } else { DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n"); - ret = EINVAL; + ret = ERR_NO_CREDS; goto done; } } @@ -1104,7 +1106,6 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) } goto done; } else if (ret != EOK) { - ret = EINVAL; goto done; } @@ -1610,6 +1611,11 @@ static int pam_check_user_done(struct pam_auth_req *preq, int ret) pam_reply(preq); break; + case ERR_NO_CREDS: + preq->pd->pam_status = PAM_CRED_INSUFFICIENT; + pam_reply(preq); + break; + default: preq->pd->pam_status = PAM_SYSTEM_ERR; pam_reply(preq); -- cgit