sssd/0047-pam_sss-add-try_cert_auth-option.patch

From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 17 Sep 2018 17:54:26 +0200
Subject: [PATCH 62/83] pam_sss: add try_cert_auth option

With this new option pam_sss can be configured to only do Smartcard
authentication or return an error if this is not possible.

Related to https://pagure.io/SSSD/sssd/issue/3650

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/man/pam_sss.8.xml    | 23 +++++++++++++++++++++++
 src/sss_client/pam_sss.c |  9 +++++++++
 src/sss_client/sss_cli.h |  1 +
 3 files changed, 33 insertions(+)

diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index d8e6a20..ca2e8e2 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -50,6 +50,9 @@
             <arg choice='opt'>
                 <replaceable>prompt_always</replaceable>
             </arg>
+            <arg choice='opt'>
+                <replaceable>try_cert_auth</replaceable>
+            </arg>
         </cmdsynopsis>
     </refsynopsisdiv>
 
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
                     </para>
                 </listitem>
             </varlistentry>
+            <varlistentry>
+                <term>
+                    <option>try_cert_auth</option>
+                </term>
+                <listitem>
+                    <para>
+                        Try to use certificate based authentication, i.e.
+                        authentication with a Smartcard or similar devices. If a
+                        Smartcard is available and the service is allowed for
+                        Smartcard authentication the use will be prompted for a
+                        PIN and the certificate based authentication will
+                        continue
+                    </para>
+                    <para>
+                        If no Smartcard is available or certificate based
+                        authentication is not allowed for the current service
+                        PAM_AUTHINFO_UNAVAIL is returned.
+                    </para>
+                </listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b336d1f..96ff15a 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
             *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
         } else if (strcmp(*argv, "prompt_always") == 0) {
             *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
+        } else if (strcmp(*argv, "try_cert_auth") == 0) {
+            *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
         } else {
             logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
         }
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                     }
                 }
 
+                if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
+                        && pi.cert_list == NULL) {
+                    D(("No certificates for authentication available."));
+                    overwrite_and_free_pam_items(&pi);
+                    return PAM_AUTHINFO_UNAVAIL;
+                }
+
                 if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
                     ret = check_login_token_name(pamh, &pi, quiet_mode);
                     if (ret != PAM_SUCCESS) {
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 3404715..38e3f99 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -373,6 +373,7 @@ enum pam_item_type {
 #define PAM_CLI_FLAGS_USE_2FA (1 << 5)
 #define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
 #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
 
 #define SSS_NSS_MAX_ENTRIES 256
 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Mon, 17 Sep 2018 17:54:26 +0200`
			`Subject: [PATCH 62/83] pam_sss: add try_cert_auth option`

			`With this new option pam_sss can be configured to only do Smartcard`
			`authentication or return an error if this is not possible.`

			`Related to https://pagure.io/SSSD/sssd/issue/3650`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/man/pam_sss.8.xml \| 23 +++++++++++++++++++++++`
			`src/sss_client/pam_sss.c \| 9 +++++++++`
			`src/sss_client/sss_cli.h \| 1 +`
			`3 files changed, 33 insertions(+)`

			`diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml`
			`index d8e6a20..ca2e8e2 100644`
			`--- a/src/man/pam_sss.8.xml`
			`+++ b/src/man/pam_sss.8.xml`
			`@@ -50,6 +50,9 @@`
			`<arg choice='opt'>`
			`<replaceable>prompt_always</replaceable>`
			`</arg>`
			`+ <arg choice='opt'>`
			`+ <replaceable>try_cert_auth</replaceable>`
			`+ </arg>`
			`</cmdsynopsis>`
			`</refsynopsisdiv>`

			`@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name`
			`</para>`
			`</listitem>`
			`</varlistentry>`
			`+ <varlistentry>`
			`+ <term>`
			`+ <option>try_cert_auth</option>`
			`+ </term>`
			`+ <listitem>`
			`+ <para>`
			`+ Try to use certificate based authentication, i.e.`
			`+ authentication with a Smartcard or similar devices. If a`
			`+ Smartcard is available and the service is allowed for`
			`+ Smartcard authentication the use will be prompted for a`
			`+ PIN and the certificate based authentication will`
			`+ continue`
			`+ </para>`
			`+ <para>`
			`+ If no Smartcard is available or certificate based`
			`+ authentication is not allowed for the current service`
			`+ PAM_AUTHINFO_UNAVAIL is returned.`
			`+ </para>`
			`+ </listitem>`
			`+ </varlistentry>`
			`</variablelist>`
			`</refsect1>`

			`diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c`
			`index b336d1f..96ff15a 100644`
			`--- a/src/sss_client/pam_sss.c`
			`+++ b/src/sss_client/pam_sss.c`
			`@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t pamh, int argc, const char *argv,`
			`*flags \|= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;`
			`} else if (strcmp(*argv, "prompt_always") == 0) {`
			`*flags \|= PAM_CLI_FLAGS_PROMPT_ALWAYS;`
			`+ } else if (strcmp(*argv, "try_cert_auth") == 0) {`
			`+ *flags \|= PAM_CLI_FLAGS_TRY_CERT_AUTH;`
			`} else {`
			`logger(pamh, LOG_WARNING, "unknown option: %s", *argv);`
			`}`
			`@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,`
			`}`
			`}`

			`+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH`
			`+ && pi.cert_list == NULL) {`
			`+ D(("No certificates for authentication available."));`
			`+ overwrite_and_free_pam_items(&pi);`
			`+ return PAM_AUTHINFO_UNAVAIL;`
			`+ }`
			`+`
			`if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {`
			`ret = check_login_token_name(pamh, &pi, quiet_mode);`
			`if (ret != PAM_SUCCESS) {`
			`diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h`
			`index 3404715..38e3f99 100644`
			`--- a/src/sss_client/sss_cli.h`
			`+++ b/src/sss_client/sss_cli.h`
			`@@ -373,6 +373,7 @@ enum pam_item_type {`
			`#define PAM_CLI_FLAGS_USE_2FA (1 << 5)`
			`#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)`
			`#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)`
			`+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)`

			`#define SSS_NSS_MAX_ENTRIES 256`
			`#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)`
			`--`
			`2.9.5`