2015-06-12 12:14:35 +00:00
|
|
|
From c14a1642229f20fe8a1ff1da1e33b8ad6a46686d Mon Sep 17 00:00:00 2001
|
2015-05-08 12:53:58 +00:00
|
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
|
|
Date: Tue, 24 Mar 2015 15:53:17 +0100
|
2015-06-12 12:14:35 +00:00
|
|
|
Subject: [PATCH 26/30] krb5: save hash of the first authentication factor to
|
2015-05-08 12:53:58 +00:00
|
|
|
the cache
|
|
|
|
MIME-Version: 1.0
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
(cherry picked from commit c5ae04b2da970a3991f21173acae3e892198ce0c)
|
|
|
|
---
|
|
|
|
src/providers/krb5/krb5_auth.c | 26 +++++++++++++++++++++++---
|
|
|
|
1 file changed, 23 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
2015-06-12 12:14:35 +00:00
|
|
|
index 6b818440717a9cfaa22a8332fc65440d21d79d00..5a946de4dba5081ed3b082e54af84e73b567a22f 100644
|
2015-05-08 12:53:58 +00:00
|
|
|
--- a/src/providers/krb5/krb5_auth.c
|
|
|
|
+++ b/src/providers/krb5/krb5_auth.c
|
2015-06-12 12:14:35 +00:00
|
|
|
@@ -321,6 +321,9 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
2015-05-08 12:53:58 +00:00
|
|
|
struct pam_data *pd)
|
|
|
|
{
|
|
|
|
const char *password = NULL;
|
|
|
|
+ const char *fa2;
|
|
|
|
+ size_t password_len;
|
|
|
|
+ size_t fa2_len = 0;
|
|
|
|
int ret = EOK;
|
|
|
|
|
|
|
|
switch(pd->cmd) {
|
2015-06-12 12:14:35 +00:00
|
|
|
@@ -332,7 +335,20 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
2015-05-08 12:53:58 +00:00
|
|
|
break;
|
|
|
|
case SSS_PAM_AUTHENTICATE:
|
|
|
|
case SSS_PAM_CHAUTHTOK_PRELIM:
|
|
|
|
- ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
|
|
|
+ if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_2FA) {
|
|
|
|
+ ret = sss_authtok_get_2fa(pd->authtok, &password, &password_len,
|
|
|
|
+ &fa2, &fa2_len);
|
|
|
|
+ if (ret == EOK && password_len <
|
|
|
|
+ domain->cache_credentials_min_ff_length) {
|
|
|
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
|
|
+ "First factor is too short to be cache, "
|
|
|
|
+ "minimum length is [%u].\n",
|
|
|
|
+ domain->cache_credentials_min_ff_length);
|
|
|
|
+ ret = EINVAL;
|
|
|
|
+ }
|
|
|
|
+ } else {
|
|
|
|
+ ret = sss_authtok_get_password(pd->authtok, &password, NULL);
|
|
|
|
+ }
|
|
|
|
break;
|
|
|
|
case SSS_PAM_CHAUTHTOK:
|
|
|
|
ret = sss_authtok_get_password(pd->newauthtok, &password, NULL);
|
2015-06-12 12:14:35 +00:00
|
|
|
@@ -358,7 +374,8 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain,
|
2015-05-08 12:53:58 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
- ret = sysdb_cache_password(domain, pd->user, password);
|
|
|
|
+ ret = sysdb_cache_password_ex(domain, pd->user, password,
|
|
|
|
+ sss_authtok_get_type(pd->authtok), fa2_len);
|
|
|
|
if (ret) {
|
|
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
|
"Failed to cache password, offline auth may not work."
|
2015-06-12 12:14:35 +00:00
|
|
|
@@ -1074,7 +1091,10 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
2015-05-08 12:53:58 +00:00
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
- if (state->be_ctx->domain->cache_credentials == TRUE && !res->otp) {
|
|
|
|
+ if (state->be_ctx->domain->cache_credentials == TRUE
|
|
|
|
+ && (!res->otp
|
|
|
|
+ || (res->otp && sss_authtok_get_type(pd->authtok) ==
|
|
|
|
+ SSS_AUTHTOK_TYPE_2FA))) {
|
|
|
|
krb5_auth_store_creds(state->domain, pd);
|
|
|
|
}
|
|
|
|
|
|
|
|
--
|
2015-06-12 12:14:35 +00:00
|
|
|
2.4.3
|
2015-05-08 12:53:58 +00:00
|
|
|
|