From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 16 Mar 2017 20:43:08 +0100 Subject: [PATCH] krb5: return to responder that pkinit is not available MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If pkinit is not available for a user but other authentication methods are SSSD should still fall back to local certificate based authentication if Smartcard credentials are provided. Resolves https://pagure.io/SSSD/sssd/issue/3343 Reviewed-by: Jakub Hrozek Reviewed-by: Lukáš Slebodník --- src/providers/krb5/krb5_child.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -42,6 +42,10 @@ #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" +#define IS_SC_AUTHTOK(tok) ( \ + sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ + || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) + enum k5c_fast_opt { K5C_FAST_NEVER, K5C_FAST_TRY, @@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, * pre-auth module is missing or no Smartcard is inserted and only * pkinit is available KRB5_PREAUTH_FAILED is returned. * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the - * frontend that local authentication might be tried. */ + * frontend that local authentication might be tried. + * Same is true if Smartcard credentials are given but only other + * authentication methods are available. */ if (kr->pd->cmd == SSS_PAM_AUTHENTICATE && kerr == KRB5_PREAUTH_FAILED - && kr->password_prompting == false - && kr->otp == false - && kr->pkinit_prompting == false) { + && kr->pkinit_prompting == false + && (( kr->password_prompting == false + && kr->otp == false) + || ((kr->otp == true + || kr->password_prompting == true) + && IS_SC_AUTHTOK(kr->pd->authtok))) ) { return ERR_NO_AUTH_METHOD_AVAILABLE; } return kerr; -- 2.12.2