88 lines
3.2 KiB
Diff
88 lines
3.2 KiB
Diff
From 0c58361481982fd356e2282c2640ee55bdf60abb Mon Sep 17 00:00:00 2001
|
|
From: Lukas Slebodnik <lslebodn@redhat.com>
|
|
Date: Mon, 20 Oct 2014 22:21:25 +0200
|
|
Subject: [PATCH 09/26] PAM: Remove authtok from PAM stack with OTP
|
|
|
|
We remove the password from the PAM stack when OTP is used to make sure
|
|
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
|
|
and have to request a password on their own.
|
|
|
|
Resolves:
|
|
https://fedorahosted.org/sssd/ticket/2287
|
|
|
|
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
|
|
---
|
|
src/providers/krb5/krb5_auth.c | 14 ++++++++++++++
|
|
src/sss_client/pam_sss.c | 16 +++++++++++++++-
|
|
2 files changed, 29 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
index f539d5068ec29f7b06f734a3417864b43122b1b7..c96b7aee99da8c3d43a67a04bb1f67ee048d4705 100644
|
|
--- a/src/providers/krb5/krb5_auth.c
|
|
+++ b/src/providers/krb5/krb5_auth.c
|
|
@@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
|
krb5_auth_store_creds(state->domain, pd);
|
|
}
|
|
|
|
+ if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
+ uint32_t otp_flag = 1;
|
|
+ ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),
|
|
+ (const uint8_t *) &otp_flag);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "pam_add_response failed: %d (%s).\n",
|
|
+ ret, sss_strerror(ret));
|
|
+ state->pam_status = PAM_SYSTEM_ERR;
|
|
+ state->dp_err = DP_ERR_OK;
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
state->pam_status = PAM_SUCCESS;
|
|
state->dp_err = DP_ERR_OK;
|
|
ret = EOK;
|
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
index abe9b05478cbf480b3430dccd1951e9bfb0e29c1..d64e826daeb80be8998ef3b410047e3a44051b07 100644
|
|
--- a/src/sss_client/pam_sss.c
|
|
+++ b/src/sss_client/pam_sss.c
|
|
@@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str,
|
|
return rp;
|
|
}
|
|
|
|
-static void overwrite_and_free_pam_items(struct pam_items *pi)
|
|
+static void overwrite_and_free_authtoks(struct pam_items *pi)
|
|
{
|
|
if (pi->pam_authtok != NULL) {
|
|
_pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size);
|
|
@@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)
|
|
|
|
pi->pamstack_authtok = NULL;
|
|
pi->pamstack_oldauthtok = NULL;
|
|
+}
|
|
+
|
|
+static void overwrite_and_free_pam_items(struct pam_items *pi)
|
|
+{
|
|
+ overwrite_and_free_authtoks(pi);
|
|
|
|
free(pi->domain_name);
|
|
pi->domain_name = NULL;
|
|
@@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
|
|
D(("do_pam_conversation failed."));
|
|
}
|
|
break;
|
|
+ case SSS_OTP:
|
|
+ D(("OTP was used, removing authtokens."));
|
|
+ overwrite_and_free_authtoks(pi);
|
|
+ ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
|
+ if (ret != PAM_SUCCESS) {
|
|
+ D(("Failed to remove PAM_AUTHTOK after using otp [%s]",
|
|
+ pam_strerror(pamh,ret)));
|
|
+ }
|
|
+ break;
|
|
default:
|
|
D(("Unknown response type [%d]", type));
|
|
}
|
|
--
|
|
2.1.0
|
|
|