From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 17 Sep 2018 17:54:26 +0200 Subject: [PATCH 62/83] pam_sss: add try_cert_auth option With this new option pam_sss can be configured to only do Smartcard authentication or return an error if this is not possible. Related to https://pagure.io/SSSD/sssd/issue/3650 Reviewed-by: Jakub Hrozek --- src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++ src/sss_client/pam_sss.c | 9 +++++++++ src/sss_client/sss_cli.h | 1 + 3 files changed, 33 insertions(+) diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index d8e6a20..ca2e8e2 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -50,6 +50,9 @@ prompt_always + + try_cert_auth + @@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name + + + + + + + Try to use certificate based authentication, i.e. + authentication with a Smartcard or similar devices. If a + Smartcard is available and the service is allowed for + Smartcard authentication the use will be prompted for a + PIN and the certificate based authentication will + continue + + + If no Smartcard is available or certificate based + authentication is not allowed for the current service + PAM_AUTHINFO_UNAVAIL is returned. + + + diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index b336d1f..96ff15a 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME; } else if (strcmp(*argv, "prompt_always") == 0) { *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS; + } else if (strcmp(*argv, "try_cert_auth") == 0) { + *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, } } + if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH + && pi.cert_list == NULL) { + D(("No certificates for authentication available.")); + overwrite_and_free_pam_items(&pi); + return PAM_AUTHINFO_UNAVAIL; + } + if (strcmp(pi.pam_service, "gdm-smartcard") == 0) { ret = check_login_token_name(pamh, &pi, quiet_mode); if (ret != PAM_SUCCESS) { diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h index 3404715..38e3f99 100644 --- a/src/sss_client/sss_cli.h +++ b/src/sss_client/sss_cli.h @@ -373,6 +373,7 @@ enum pam_item_type { #define PAM_CLI_FLAGS_USE_2FA (1 << 5) #define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6) #define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7) +#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8) #define SSS_NSS_MAX_ENTRIES 256 #define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4) -- 2.9.5