From 206ba71f3b95745bc39492fdbe99d3b72fb4f150 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 29 Apr 2017 23:56:40 +0200 Subject: [PATCH] Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with file from package sssd-common-1.15.1-1.fc25.x86_64 Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 (cherry picked from commit 9c949c17eb6a2e2d0bdae295752d7b397ee987a9) --- ...esponder-that-pkinit-is-not-availabl.patch | 60 ++++++++++++ ...ols-The-ai-structure-is-not-an-array.patch | 51 ++++++++++ ...ix-issues-with-multiple-IP-addresses.patch | 46 +++++++++ ...lit-connect-and-communication-phases.patch | 95 +++++++++++++++++++ sssd.spec | 23 ++++- 5 files changed, 272 insertions(+), 3 deletions(-) create mode 100644 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch create mode 100644 0004-ssh-tools-The-ai-structure-is-not-an-array.patch create mode 100644 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch create mode 100644 0006-ssh-tools-Split-connect-and-communication-phases.patch diff --git a/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch b/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch new file mode 100644 index 0000000..f90fa3a --- /dev/null +++ b/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch @@ -0,0 +1,60 @@ +From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 16 Mar 2017 20:43:08 +0100 +Subject: [PATCH] krb5: return to responder that pkinit is not available +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If pkinit is not available for a user but other authentication methods +are SSSD should still fall back to local certificate based +authentication if Smartcard credentials are provided. + +Resolves https://pagure.io/SSSD/sssd/issue/3343 + +Reviewed-by: Jakub Hrozek +Reviewed-by: Lukáš Slebodník +--- + src/providers/krb5/krb5_child.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -42,6 +42,10 @@ + + #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" + ++#define IS_SC_AUTHTOK(tok) ( \ ++ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ ++ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) ++ + enum k5c_fast_opt { + K5C_FAST_NEVER, + K5C_FAST_TRY, +@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, + * pre-auth module is missing or no Smartcard is inserted and only + * pkinit is available KRB5_PREAUTH_FAILED is returned. + * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the +- * frontend that local authentication might be tried. */ ++ * frontend that local authentication might be tried. ++ * Same is true if Smartcard credentials are given but only other ++ * authentication methods are available. */ + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && kerr == KRB5_PREAUTH_FAILED +- && kr->password_prompting == false +- && kr->otp == false +- && kr->pkinit_prompting == false) { ++ && kr->pkinit_prompting == false ++ && (( kr->password_prompting == false ++ && kr->otp == false) ++ || ((kr->otp == true ++ || kr->password_prompting == true) ++ && IS_SC_AUTHTOK(kr->pd->authtok))) ) { + return ERR_NO_AUTH_METHOD_AVAILABLE; + } + return kerr; +-- +2.12.2 + diff --git a/0004-ssh-tools-The-ai-structure-is-not-an-array.patch b/0004-ssh-tools-The-ai-structure-is-not-an-array.patch new file mode 100644 index 0000000..734f465 --- /dev/null +++ b/0004-ssh-tools-The-ai-structure-is-not-an-array.patch @@ -0,0 +1,51 @@ +From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 25 Apr 2017 12:39:32 +0000 +Subject: [PATCH 4/6] ssh tools: The ai structure is not an array, +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This structure is actually a linked list, so do not mislead readers by +treating it as an array. + +Resolves: +https://pagure.io/SSSD/sssd/issue/1498 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3383 + +Signed-off-by: Simo Sorce +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -268,10 +268,10 @@ int main(int argc, const char **argv) + DEBUG(SSSDBG_OP_FAILURE, + "getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret)); + } else { +- host = ai[0].ai_canonname; ++ host = ai->ai_canonname; + } + } else { +- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen, ++ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, + canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -295,7 +295,7 @@ int main(int argc, const char **argv) + if (pc_args) { + ret = connect_proxy_command(discard_const(pc_args)); + } else if (ai) { +- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen); ++ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen); + } else { + ret = EFAULT; + } +-- +2.12.2 + diff --git a/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch b/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch new file mode 100644 index 0000000..6ccee63 --- /dev/null +++ b/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch @@ -0,0 +1,46 @@ +From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 25 Apr 2017 14:00:15 +0000 +Subject: [PATCH 5/6] ssh tools: Fix issues with multiple IP addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Cycle through all resolved address until one succeed or all fail. +This is needed for dual stack systems where either IPv4 or IPv6 are +improperly configured or selectively filtered at some point along the +route. + +Resolves: +https://pagure.io/SSSD/sssd/issue/1498 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3383 + +Signed-off-by: Simo Sorce +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -295,7 +295,13 @@ int main(int argc, const char **argv) + if (pc_args) { + ret = connect_proxy_command(discard_const(pc_args)); + } else if (ai) { +- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen); ++ /* Try all IP addresses before giving up */ ++ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { ++ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen); ++ if (ret == 0) { ++ break; ++ } ++ } + } else { + ret = EFAULT; + } +-- +2.12.2 + diff --git a/0006-ssh-tools-Split-connect-and-communication-phases.patch b/0006-ssh-tools-Split-connect-and-communication-phases.patch new file mode 100644 index 0000000..f9ad656 --- /dev/null +++ b/0006-ssh-tools-Split-connect-and-communication-phases.patch @@ -0,0 +1,95 @@ +From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 25 Apr 2017 19:19:13 +0000 +Subject: [PATCH 6/6] ssh tools: Split connect and communication phases +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We can fallback after a connect error, but we cannot easily fall back +once we start sending data as we may have consumed part of the buffer so +reconnecting and sending what's left would not make sense. + +Therefore we now fallback on connect errors, but we issue a hard fail if +error happens after communication has been established. + +Resolves: +https://pagure.io/SSSD/sssd/issue/1498 + +Merges: https://pagure.io/SSSD/sssd/pull-request/3383 + +Signed-off-by: Simo Sorce +Reviewed-by: Lukáš Slebodník +--- + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644 +--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c ++++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@@ -40,14 +40,10 @@ + + /* connect to server using socket */ + static int +-connect_socket(int family, struct sockaddr *addr, size_t addr_len) ++connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd) + { + int flags; + int sock = -1; +- struct pollfd fds[2]; +- char buffer[BUFFER_SIZE]; +- int i; +- ssize_t res; + int ret; + + /* set O_NONBLOCK on standard input */ +@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) + goto done; + } + ++ *sd = sock; ++ ++done: ++ if (ret != 0 && sock >= 0) close(sock); ++ return ret; ++} ++ ++static int proxy_data(int sock) ++{ ++ int flags; ++ struct pollfd fds[2]; ++ char buffer[BUFFER_SIZE]; ++ int i; ++ ssize_t res; ++ int ret; ++ + /* set O_NONBLOCK on the socket */ + flags = fcntl(sock, F_GETFL); + if (flags == -1) { +@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) + } + + done: +- if (sock >= 0) close(sock); +- ++ close(sock); + return ret; + } + +@@ -297,8 +308,11 @@ int main(int argc, const char **argv) + } else if (ai) { + /* Try all IP addresses before giving up */ + for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { +- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen); ++ int socket_descriptor = -1; ++ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen, ++ &socket_descriptor); + if (ret == 0) { ++ ret = proxy_data(socket_descriptor); + break; + } + } +-- +2.12.2 + diff --git a/sssd.spec b/sssd.spec index 88e99ac..62d234f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,7 +30,7 @@ Name: sssd Version: 1.15.2 -Release: 2%{?dist} +Release: 3%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -40,7 +40,11 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch -patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch +Patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch +Patch0003: 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch +Patch0004: 0004-ssh-tools-The-ai-structure-is-not-an-array.patch +Patch0005: 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch +Patch0006: 0006-ssh-tools-Split-connect-and-communication-phases.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -176,6 +180,7 @@ Group: Development/Libraries License: LGPLv3+ Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_sudo A utility library to allow communication between SUDO and SSSD @@ -184,6 +189,7 @@ A utility library to allow communication between SUDO and SSSD Summary: A library to allow communication between Autofs and SSSD Group: Development/Libraries License: LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description -n libsss_autofs A utility library to allow communication between Autofs and SSSD @@ -505,6 +511,7 @@ Summary: The SSSD libwbclient implementation Group: Applications/System License: GPLv3+ and LGPLv3+ Conflicts: libwbclient < 4.2.0-0.2.rc2 +Conflicts: sssd-common < %{version}-%{release} %description libwbclient The SSSD libwbclient implementation. @@ -523,6 +530,7 @@ Development libraries for the SSSD libwbclient implementation. Summary: SSSD's idmap_sss Backend for Winbind Group: Applications/System License: GPLv3+ and LGPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description winbind-idmap The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs @@ -532,6 +540,7 @@ and SIDs. Summary: SSSD plug-in for NFSv4 rpc.idmapd Group: Applications/System License: GPLv3+ +Conflicts: sssd-common < %{version}-%{release} %description nfs-idmap The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map @@ -1072,7 +1081,6 @@ done %systemd_preun sssd-sudo.socket %postun common -%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd-autofs.socket %systemd_postun_with_restart sssd-autofs.service %systemd_postun_with_restart sssd-nss.socket @@ -1133,6 +1141,9 @@ fi %postun -n libsss_simpleifp -p /sbin/ldconfig +%posttrans common +%systemd_postun_with_restart sssd.service + %posttrans libwbclient %{_sbindir}/update-alternatives \ --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ @@ -1157,6 +1168,12 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Sat Apr 29 2017 Lukas Slebodnik - 1.15.2-3 +- Resolves: rhbz#1445680 - Properly fall back to local Smartcard authentication +- Resolves: rhbz#1437199 - sssd-nfs-idmap-1.15.2-1.fc25.x86_64 conflicts with + file from package sssd-common-1.15.1-1.fc25.x86_64 +- Resolves: rhbz#1063278 - sss_ssh_knownhostsproxy doesn't fall back to ipv4 + * Thu Apr 06 2017 Lukas Slebodnik - 1.15.2-2 - Backport few upstrem fixes from master - Resolves: upstream#3297 Fix issue with IPA + SELinux in containers