sssd/0045-PAM-add-p11_wait_for_card_timeout-option.patch

From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 18 Sep 2018 18:15:02 +0200
Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option

If the --wait_for_card is used to call p11_child the PAM responder
should be prepared to wait longer until p11_child can return
successfully.

Related to https://pagure.io/SSSD/sssd/issue/3650

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/confdb/confdb.h                  |  1 +
 src/config/SSSDConfig/__init__.py.in |  1 +
 src/config/cfg_rules.ini             |  1 +
 src/config/etc/sssd.api.conf         |  1 +
 src/man/sssd.conf.5.xml              | 14 ++++++++++++++
 src/responder/pam/pamsrv_cmd.c       | 15 +++++++++++++++
 src/util/util.h                      |  1 +
 7 files changed, 34 insertions(+)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 625d156..87904c2 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -130,6 +130,7 @@
 #define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
 #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
 #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
 #define CONFDB_PAM_APP_SERVICES "pam_app_services"
 #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
 
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 81a03ad..4d1dba2 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -104,6 +104,7 @@ option_strings = {
     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
     'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
+    'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 78f215e..50a8f1d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -127,6 +127,7 @@ option = pam_cert_db_path
 option = p11_child_timeout
 option = pam_app_services
 option = pam_p11_allowed_services
+option = p11_wait_for_card_timeout
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 52494c0..bb686c3 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
 p11_child_timeout = int, None, false
 pam_app_services = str, None, false
 pam_p11_allowed_services = str, None, false
+p11_wait_for_card_timeout = int, None, false
 
 [sudo]
 # sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index c1e3895..4df0163 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>p11_wait_for_card_timeout (integer)</term>
+                    <listitem>
+                        <para>
+                            If Smartcard authentication is required how many
+                            extra seconds in addition to p11_child_timeout
+                            should the PAM responder wait until a Smartcard is
+                            inserted.
+                        </para>
+                        <para>
+                            Default: 60
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
 
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 817f3c5..c8df32d 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
                           struct pam_data *pd)
 {
     int p11_child_timeout;
+    int wait_for_card_timeout;
     char *cert_verification_opts;
     errno_t ret;
     struct tevent_req *req;
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
               ret, sss_strerror(ret));
         return ret;
     }
+    if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
+        ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+                             CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
+                             P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
+                             &wait_for_card_timeout);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            return ret;
+        }
+
+        p11_child_timeout += wait_for_card_timeout;
+    }
 
     ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
                             CONFDB_MONITOR_CERT_VERIFICATION, NULL,
diff --git a/src/util/util.h b/src/util/util.h
index 59e7a96..e3e9100 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
 #define P11_CHILD_LOG_FILE "p11_child"
 #define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
 #define P11_CHILD_TIMEOUT_DEFAULT 10
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
 #endif  /* SSSD_LIBEXEC_PATH */
 
 #endif /* __SSSD_UTIL_H__ */
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From 2e4ecf5a866b212bef44e262fd90c67a88dc616a Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Tue, 18 Sep 2018 18:15:02 +0200`
			`Subject: [PATCH 60/83] PAM: add p11_wait_for_card_timeout option`

			`If the --wait_for_card is used to call p11_child the PAM responder`
			`should be prepared to wait longer until p11_child can return`
			`successfully.`

			`Related to https://pagure.io/SSSD/sssd/issue/3650`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/confdb/confdb.h \| 1 +`
			`src/config/SSSDConfig/__init__.py.in \| 1 +`
			`src/config/cfg_rules.ini \| 1 +`
			`src/config/etc/sssd.api.conf \| 1 +`
			`src/man/sssd.conf.5.xml \| 14 ++++++++++++++`
			`src/responder/pam/pamsrv_cmd.c \| 15 +++++++++++++++`
			`src/util/util.h \| 1 +`
			`7 files changed, 34 insertions(+)`

			`diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h`
			`index 625d156..87904c2 100644`
			`--- a/src/confdb/confdb.h`
			`+++ b/src/confdb/confdb.h`
			`@@ -130,6 +130,7 @@`
			`#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"`
			`#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"`
			`#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"`
			`+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"`
			`#define CONFDB_PAM_APP_SERVICES "pam_app_services"`
			`#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"`

			`diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in`
			`index 81a03ad..4d1dba2 100644`
			`--- a/src/config/SSSDConfig/__init__.py.in`
			`+++ b/src/config/SSSDConfig/__init__.py.in`
			`@@ -104,6 +104,7 @@ option_strings = {`
			`'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),`
			`'pam_app_services' : _('Which PAM services are permitted to contact application domains'),`
			`'pam_p11_allowed_services' : _('Allowed services for using smartcards'),`
			`+ 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),`

			`# [sudo]`
			`'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),`
			`diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini`
			`index 78f215e..50a8f1d 100644`
			`--- a/src/config/cfg_rules.ini`
			`+++ b/src/config/cfg_rules.ini`
			`@@ -127,6 +127,7 @@ option = pam_cert_db_path`
			`option = p11_child_timeout`
			`option = pam_app_services`
			`option = pam_p11_allowed_services`
			`+option = p11_wait_for_card_timeout`

			`[rule/allowed_sudo_options]`
			`validator = ini_allowed_options`
			`diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf`
			`index 52494c0..bb686c3 100644`
			`--- a/src/config/etc/sssd.api.conf`
			`+++ b/src/config/etc/sssd.api.conf`
			`@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false`
			`p11_child_timeout = int, None, false`
			`pam_app_services = str, None, false`
			`pam_p11_allowed_services = str, None, false`
			`+p11_wait_for_card_timeout = int, None, false`

			`[sudo]`
			`# sudo service`
			`diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml`
			`index c1e3895..4df0163 100644`
			`--- a/src/man/sssd.conf.5.xml`
			`+++ b/src/man/sssd.conf.5.xml`
			`@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login`
			`</para>`
			`</listitem>`
			`</varlistentry>`
			`+ <varlistentry>`
			`+ <term>p11_wait_for_card_timeout (integer)</term>`
			`+ <listitem>`
			`+ <para>`
			`+ If Smartcard authentication is required how many`
			`+ extra seconds in addition to p11_child_timeout`
			`+ should the PAM responder wait until a Smartcard is`
			`+ inserted.`
			`+ </para>`
			`+ <para>`
			`+ Default: 60`
			`+ </para>`
			`+ </listitem>`
			`+ </varlistentry>`
			`</variablelist>`
			`</refsect2>`

			`diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c`
			`index 817f3c5..c8df32d 100644`
			`--- a/src/responder/pam/pamsrv_cmd.c`
			`+++ b/src/responder/pam/pamsrv_cmd.c`
			`@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,`
			`struct pam_data *pd)`
			`{`
			`int p11_child_timeout;`
			`+ int wait_for_card_timeout;`
			`char *cert_verification_opts;`
			`errno_t ret;`
			`struct tevent_req *req;`
			`@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,`
			`ret, sss_strerror(ret));`
			`return ret;`
			`}`
			`+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {`
			`+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,`
			`+ CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,`
			`+ P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,`
			`+ &wait_for_card_timeout);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE,`
			`+ "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",`
			`+ ret, sss_strerror(ret));`
			`+ return ret;`
			`+ }`
			`+`
			`+ p11_child_timeout += wait_for_card_timeout;`
			`+ }`

			`ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,`
			`CONFDB_MONITOR_CERT_VERIFICATION, NULL,`
			`diff --git a/src/util/util.h b/src/util/util.h`
			`index 59e7a96..e3e9100 100644`
			`--- a/src/util/util.h`
			`+++ b/src/util/util.h`
			`@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);`
			`#define P11_CHILD_LOG_FILE "p11_child"`
			`#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"`
			`#define P11_CHILD_TIMEOUT_DEFAULT 10`
			`+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60`
			`#endif /* SSSD_LIBEXEC_PATH */`

			`#endif /* __SSSD_UTIL_H__ */`
			`--`
			`2.9.5`