110 lines
3.5 KiB
Diff
110 lines
3.5 KiB
Diff
From 540f0f9e2b35315703b56989d398c11da49992e2 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Fri, 16 Sep 2016 11:48:18 +0200
|
|
Subject: [PATCH 63/79] pam_sss: check PKCS11_LOGIN_TOKEN_NAME
|
|
|
|
Check if PKCS11_LOGIN_TOKEN_NAME is set and prompt the user if the
|
|
matching Smartcard is not inserted.
|
|
|
|
Related to https://fedorahosted.org/sssd/ticket/3165
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
(cherry picked from commit 35ba922bc51416f02877b53a6f25c04104ae5f03)
|
|
---
|
|
src/sss_client/pam_sss.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 65 insertions(+)
|
|
|
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
index fdb9c907644f1317b6f8e58619f01ad2753deafc..2049d5fb0c6092aaaa914385c79d02d8f44b447e 100644
|
|
--- a/src/sss_client/pam_sss.c
|
|
+++ b/src/sss_client/pam_sss.c
|
|
@@ -1410,6 +1410,7 @@ done:
|
|
}
|
|
|
|
#define SC_PROMPT_FMT "PIN for %s for user %s"
|
|
+
|
|
static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
|
{
|
|
int ret;
|
|
@@ -1691,6 +1692,62 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
+#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
|
|
+
|
|
+static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
+ bool quiet_mode)
|
|
+{
|
|
+ int ret;
|
|
+ int pam_status;
|
|
+ char *login_token_name;
|
|
+ char *prompt = NULL;
|
|
+ size_t size;
|
|
+ char *answer = NULL;
|
|
+
|
|
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
|
+ if (login_token_name == NULL) {
|
|
+ return PAM_SUCCESS;
|
|
+ }
|
|
+
|
|
+ while (pi->token_name == NULL
|
|
+ || strcmp(login_token_name, pi->token_name) != 0) {
|
|
+ size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
|
|
+ prompt = malloc(size);
|
|
+ if (prompt == NULL) {
|
|
+ D(("malloc failed."));
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ ret = snprintf(prompt, size, SC_ENTER_FMT,
|
|
+ login_token_name);
|
|
+ if (ret < 0 || ret >= size) {
|
|
+ D(("snprintf failed."));
|
|
+ free(prompt);
|
|
+ return EFAULT;
|
|
+ }
|
|
+
|
|
+ ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
|
|
+ NULL, &answer);
|
|
+ free(prompt);
|
|
+ free(answer);
|
|
+ if (ret != PAM_SUCCESS) {
|
|
+ D(("do_pam_conversation failed."));
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+ pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
|
|
+ if (pam_status != PAM_SUCCESS) {
|
|
+ D(("send_and_receive returned [%d] during pre-auth", pam_status));
|
|
+ /*
|
|
+ * Since we are waiting for the right Smartcard to be inserted errors
|
|
+ * can be ignored here.
|
|
+ */
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return PAM_SUCCESS;
|
|
+}
|
|
+
|
|
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
int pam_flags, int argc, const char **argv)
|
|
{
|
|
@@ -1758,6 +1815,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
}
|
|
}
|
|
|
|
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
|
+ ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
+ if (ret != PAM_SUCCESS) {
|
|
+ D(("check_login_token_name failed.\n"));
|
|
+ return ret;
|
|
+ }
|
|
+ }
|
|
+
|
|
ret = get_authtok_for_authentication(pamh, &pi, flags);
|
|
if (ret != PAM_SUCCESS) {
|
|
D(("failed to get authentication token: %s",
|
|
--
|
|
2.9.3
|
|
|