diff --git a/0001-reuse-authtok-which-is-already-in-the-pam-stack.patch b/0001-reuse-authtok-which-is-already-in-the-pam-stack.patch new file mode 100644 index 0000000..d0f4569 --- /dev/null +++ b/0001-reuse-authtok-which-is-already-in-the-pam-stack.patch @@ -0,0 +1,70 @@ +>From 98bb277b9271e5e9175180685d647909b89c06aa Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 29 Apr 2009 21:11:05 +0200 +Subject: [PATCH] reuse authtok which is already in the pam stack + +--- + sss_client/pam_sss.c | 20 ++++++++++++++++++-- + 1 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c +index d03407c..f2fdefe 100644 +--- a/sss_client/pam_sss.c ++++ b/sss_client/pam_sss.c +@@ -149,8 +149,10 @@ static void print_pam_items(struct pam_items pi) + D(("Tty: %s", *pi.pam_tty!='\0' ? pi.pam_tty : "(not available)")); + D(("Ruser: %s", *pi.pam_ruser!='\0' ? pi.pam_ruser : "(not available)")); + D(("Rhost: %s", *pi.pam_rhost!='\0' ? pi.pam_rhost : "(not available)")); +- D(("Authtok: %s", *pi.pamstack_authtok!='\0' ? pi.pamstack_authtok : "(not available)")); +- D(("Oldauthtok: %s", *pi.pamstack_oldauthtok!='\0' ? pi.pamstack_oldauthtok : "(not available)")); ++ D(("Pamstack_Authtok: %s", *pi.pamstack_authtok!='\0' ? pi.pamstack_authtok : "(not available)")); ++ D(("Pamstack_Oldauthtok: %s", *pi.pamstack_oldauthtok!='\0' ? pi.pamstack_oldauthtok : "(not available)")); ++ D(("Authtok: %s", *pi.pam_authtok!='\0' ? pi.pam_authtok : "(not available)")); ++ D(("Newauthtok: %s", *pi.pam_newauthtok!='\0' ? pi.pam_newauthtok : "(not available)")); + } + + static int pam_sss(int task, pam_handle_t *pamh, int flags, int argc, +@@ -171,12 +173,15 @@ static int pam_sss(int task, pam_handle_t *pamh, int flags, int argc, + int pam_status; + char *newpwd[2]; + int forward_pass = 0; ++ int use_first_pass = 0; + + D(("Hello pam_sssd: %d", task)); + + for (; argc-- > 0; ++argv) { + if (strcmp(*argv, "forward_pass") == 0) { + forward_pass = 1; ++ } else if (strcmp(*argv, "use_first_pass") == 0) { ++ use_first_pass = 1; + } else { + D(("unknown option: %s", *argv)); + } +@@ -194,6 +199,16 @@ static int pam_sss(int task, pam_handle_t *pamh, int flags, int argc, + return ret; + } + ++ if (use_first_pass != 0 && ++ (*pi.pamstack_authtok != '\0' || *pi.pamstack_oldauthtok != '\0') && ++ (task == SSS_PAM_AUTHENTICATE || task == SSS_PAM_CHAUTHTOK)) { ++ pi.pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; ++ pi.pam_authtok = strdup(pi.pamstack_authtok); ++ pi.pam_authtok_size = strlen(pi.pamstack_authtok); ++ pi.pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD; ++ pi.pam_newauthtok = strdup(pi.pamstack_oldauthtok); ++ pi.pam_newauthtok_size = strlen(pi.pamstack_oldauthtok); ++ } else { + pi.pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi.pam_authtok = NULL; + pi.pam_authtok_size = 0; +@@ -297,6 +312,7 @@ static int pam_sss(int task, pam_handle_t *pamh, int flags, int argc, + _pam_overwrite((void *)newpwd[1]); + free(newpwd[1]); + } ++ } + + print_pam_items(pi); + +-- +1.6.0.6 + diff --git a/sssd.spec b/sssd.spec index 2a6e975..4813aac 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd Version: 0.3.3 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon @@ -17,6 +17,7 @@ Patch1: 0001-Use-different-attribute-for-cached-passwords.patch Patch2: 0001-Use-different-attribute-for-cached-passwords-change.patch Patch3: 0001-enable-offline-handling-for-native-LDAP-backend.patch Patch4: 0001-handle-other-pam-calls-when-offline.patch +Patch5: 0001-reuse-authtok-which-is-already-in-the-pam-stack.patch ### Dependencies ### @@ -59,6 +60,7 @@ services for projects like FreeIPA. %patch2 -p 1 -b .pwd-cache-attr %patch3 -p 1 -b .ldap-offline %patch4 -p 1 -b .pam-offline +%patch5 -p 1 -b .use_first_pass %build @@ -147,6 +149,9 @@ if [ $1 -ge 1 ] ; then fi %changelog +* Tue Apr 29 2009 Simo Sorce - 0.3.3-2 +- Add use_first_pass option to fix pam stack problems + * Tue Apr 28 2009 Simo Sorce - 0.3.3-1 - Add patches to fix password caches when offline