Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication

Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 (cherry picked from commit 9c949c17eb)
2017-04-29 23:56:40 +02:00 · 2017-04-29 23:56:40 +02:00 · 206ba71f3b
commit 206ba71f3b
parent 5421a7ac42
5 changed files with 272 additions and 3 deletions
--- a/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
+++ b/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
@ -0,0 +1,60 @@
+From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 16 Mar 2017 20:43:08 +0100
+Subject: [PATCH] krb5: return to responder that pkinit is not available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If pkinit is not available for a user but other authentication methods
+are SSSD should still fall back to local certificate based
+authentication if Smartcard credentials are provided.
+
+Resolves https://pagure.io/SSSD/sssd/issue/3343
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/providers/krb5/krb5_child.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
+index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
+--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
+@@ -42,6 +42,10 @@
+ 
+ #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
+ 
+#define IS_SC_AUTHTOK(tok) ( \
+    sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
+        || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+
+ enum k5c_fast_opt {
+     K5C_FAST_NEVER,
+     K5C_FAST_TRY,
+@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
+              * pre-auth module is missing or no Smartcard is inserted and only
+              * pkinit is available KRB5_PREAUTH_FAILED is returned.
+              * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
+-             * frontend that local authentication might be tried. */
+             * frontend that local authentication might be tried.
+             * Same is true if Smartcard credentials are given but only other
+             * authentication methods are available. */
+             if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
+                     && kerr == KRB5_PREAUTH_FAILED
+-                    && kr->password_prompting == false
+-                    && kr->otp == false
+-                    && kr->pkinit_prompting == false) {
+                    && kr->pkinit_prompting == false
+                    && (( kr->password_prompting == false
+                              && kr->otp == false)
+                            || ((kr->otp == true
+                                    || kr->password_prompting == true)
+                              && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
+                 return ERR_NO_AUTH_METHOD_AVAILABLE;
+             }
+             return kerr;
+-- 
+2.12.2
+
--- a/0004-ssh-tools-The-ai-structure-is-not-an-array.patch
+++ b/0004-ssh-tools-The-ai-structure-is-not-an-array.patch
@ -0,0 +1,51 @@
+From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 25 Apr 2017 12:39:32 +0000
+Subject: [PATCH 4/6] ssh tools: The ai structure is not an array,
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This structure is actually a linked list, so do not mislead readers by
+treating it as an array.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/1498
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3383
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644
+--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+@@ -268,10 +268,10 @@ int main(int argc, const char **argv)
+             DEBUG(SSSDBG_OP_FAILURE,
+                   "getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret));
+         } else {
+-            host = ai[0].ai_canonname;
+            host = ai->ai_canonname;
+         }
+     } else {
+-        ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen,
+        ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
+                           canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD);
+         if (ret) {
+             DEBUG(SSSDBG_OP_FAILURE,
+@@ -295,7 +295,7 @@ int main(int argc, const char **argv)
+     if (pc_args) {
+         ret = connect_proxy_command(discard_const(pc_args));
+     } else if (ai) {
+-        ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen);
+        ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
+     } else {
+         ret = EFAULT;
+     }
+-- 
+2.12.2
+
--- a/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
+++ b/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
@ -0,0 +1,46 @@
+From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 25 Apr 2017 14:00:15 +0000
+Subject: [PATCH 5/6] ssh tools: Fix issues with multiple IP addresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Cycle through all resolved address until one succeed or all fail.
+This is needed for dual stack systems where either IPv4 or IPv6 are
+improperly configured or selectively filtered at some point along the
+route.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/1498
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3383
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644
+--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+@@ -295,7 +295,13 @@ int main(int argc, const char **argv)
+     if (pc_args) {
+         ret = connect_proxy_command(discard_const(pc_args));
+     } else if (ai) {
+-        ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
+        /* Try all IP addresses before giving up */
+        for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
+            ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+            if (ret == 0) {
+                break;
+            }
+        }
+     } else {
+         ret = EFAULT;
+     }
+-- 
+2.12.2
+
--- a/0006-ssh-tools-Split-connect-and-communication-phases.patch
+++ b/0006-ssh-tools-Split-connect-and-communication-phases.patch
@ -0,0 +1,95 @@
+From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 25 Apr 2017 19:19:13 +0000
+Subject: [PATCH 6/6] ssh tools: Split connect and communication phases
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We can fallback after a connect error, but we cannot easily fall back
+once we start sending data as we may have consumed part of the buffer so
+reconnecting and sending what's left would not make sense.
+
+Therefore we now fallback on connect errors, but we issue a hard fail if
+error happens after communication has been established.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/1498
+
+Merges: https://pagure.io/SSSD/sssd/pull-request/3383
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644
+--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+@@ -40,14 +40,10 @@
+ 
+ /* connect to server using socket */
+ static int
+-connect_socket(int family, struct sockaddr *addr, size_t addr_len)
+connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd)
+ {
+     int flags;
+     int sock = -1;
+-    struct pollfd fds[2];
+-    char buffer[BUFFER_SIZE];
+-    int i;
+-    ssize_t res;
+     int ret;
+ 
+     /* set O_NONBLOCK on standard input */
+@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
+         goto done;
+     }
+ 
+    *sd = sock;
+
+done:
+    if (ret != 0 && sock >= 0) close(sock);
+    return ret;
+}
+
+static int proxy_data(int sock)
+{
+    int flags;
+    struct pollfd fds[2];
+    char buffer[BUFFER_SIZE];
+    int i;
+    ssize_t res;
+    int ret;
+
+     /* set O_NONBLOCK on the socket */
+     flags = fcntl(sock, F_GETFL);
+     if (flags == -1) {
+@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
+     }
+ 
+ done:
+-    if (sock >= 0) close(sock);
+-
+    close(sock);
+     return ret;
+ }
+ 
+@@ -297,8 +308,11 @@ int main(int argc, const char **argv)
+     } else if (ai) {
+         /* Try all IP addresses before giving up */
+         for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
+-            ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+            int socket_descriptor = -1;
+            ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen,
+                                 &socket_descriptor);
+             if (ret == 0) {
+                ret = proxy_data(socket_descriptor);
+                 break;
+             }
+         }
+-- 
+2.12.2
+
--- a/sssd.spec
+++ b/sssd.spec
@ -30,7 +30,7 @@

 Name: sssd
 Version: 1.15.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -40,7 +40,11 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 ### Patches ###
 Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch
-patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
+Patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
+Patch0003: 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
+Patch0004: 0004-ssh-tools-The-ai-structure-is-not-an-array.patch
+Patch0005: 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
+Patch0006: 0006-ssh-tools-Split-connect-and-communication-phases.patch

 Patch0502:  0502-SYSTEMD-Use-capabilities.patch

@ -176,6 +180,7 @@ Group: Development/Libraries
 License: LGPLv3+
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
+Conflicts: sssd-common < %{version}-%{release}

 %description -n libsss_sudo
 A utility library to allow communication between SUDO and SSSD
@ -184,6 +189,7 @@ A utility library to allow communication between SUDO and SSSD
 Summary: A library to allow communication between Autofs and SSSD
 Group: Development/Libraries
 License: LGPLv3+
+Conflicts: sssd-common < %{version}-%{release}

 %description -n libsss_autofs
 A utility library to allow communication between Autofs and SSSD
@ -505,6 +511,7 @@ Summary: The SSSD libwbclient implementation
 Group: Applications/System
 License: GPLv3+ and LGPLv3+
 Conflicts: libwbclient < 4.2.0-0.2.rc2
+Conflicts: sssd-common < %{version}-%{release}

 %description libwbclient
 The SSSD libwbclient implementation.
@ -523,6 +530,7 @@ Development libraries for the SSSD libwbclient implementation.
 Summary: SSSD's idmap_sss Backend for Winbind
 Group:  Applications/System
 License: GPLv3+ and LGPLv3+
+Conflicts: sssd-common < %{version}-%{release}

 %description winbind-idmap
 The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs
@ -532,6 +540,7 @@ and SIDs.
 Summary: SSSD plug-in for NFSv4 rpc.idmapd
 Group:  Applications/System
 License: GPLv3+
+Conflicts: sssd-common < %{version}-%{release}

 %description nfs-idmap
 The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
@ -1072,7 +1081,6 @@ done
 %systemd_preun sssd-sudo.socket

 %postun common
-%systemd_postun_with_restart sssd.service
 %systemd_postun_with_restart sssd-autofs.socket
 %systemd_postun_with_restart sssd-autofs.service
 %systemd_postun_with_restart sssd-nss.socket
@ -1133,6 +1141,9 @@ fi

 %postun -n libsss_simpleifp -p /sbin/ldconfig

+%posttrans common
+%systemd_postun_with_restart sssd.service
+
 %posttrans libwbclient
 %{_sbindir}/update-alternatives \
    --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \
@ -1157,6 +1168,12 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Sat Apr 29 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-3
+- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication
+- Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with
+                           file from package sssd-common-1.15.1-1.fc25.x86_64
+- Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4
+
 * Thu Apr 06 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-2
 - Backport few upstrem fixes from master
 - Resolves: upstream#3297 Fix issue with IPA + SELinux in containers