sssd/0052-PAM-add-p11_uri-option.patch
Michal Židek c0971b7e39 Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
2018-10-24 14:40:58 +02:00

194 lines
8.1 KiB
Diff

From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 9 Oct 2018 10:47:04 +0200
Subject: [PATCH 67/83] PAM: add p11_uri option
Related to https://pagure.io/SSSD/sssd/issue/3814
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 33 +++++++++++++++++++++++++++++++++
src/responder/pam/pamsrv.h | 1 +
src/responder/pam/pamsrv_cmd.c | 12 +++++++++++-
src/responder/pam/pamsrv_p11.c | 9 ++++++++-
8 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 87904c2..741d4bc 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -133,6 +133,7 @@
#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
+#define CONFDB_PAM_P11_URI "p11_uri"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 4d1dba2..a20157c 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -105,6 +105,7 @@ option_strings = {
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
+ 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 50a8f1d..09a52df 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -128,6 +128,7 @@ option = p11_child_timeout
option = pam_app_services
option = pam_p11_allowed_services
option = p11_wait_for_card_timeout
+option = p11_uri
[rule/allowed_sudo_options]
validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index bb686c3..c6d6690 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -77,6 +77,7 @@ p11_child_timeout = int, None, false
pam_app_services = str, None, false
pam_p11_allowed_services = str, None, false
p11_wait_for_card_timeout = int, None, false
+p11_uri = str, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 4df0163..c8d53f0 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>p11_uri (string)</term>
+ <listitem>
+ <para>
+ PKCS#11 URI (see RFC-7512 for details) which can be
+ used to restrict the selection of devices used for
+ Smartcard authentication. By default SSSD's
+ p11_child will search for a PKCS#11 slot (reader)
+ where the 'removable' flags is set and read the
+ certificates from the inserted token from the first
+ slot found. If multiple readers are connected
+ p11_uri can be use to tell p11_child to use a
+ specific reader.
+ </para>
+ <para>
+ Example:
+ <programlisting>
+p11_uri = slot-description=My%20Smartcar%20Reader
+ </programlisting>
+ or
+ <programlisting>
+p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
+ </programlisting>
+ To find suitable URI please check the debug output
+ of p11_child. As an alternative the GnuTLS utility
+ 'p11tool' with e.g. the '--list-all' will show
+ PKCS#11 URIs as well.
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index 5d87756..60aa979 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
time_t timeout,
const char *verify_opts,
struct sss_certmap_ctx *sss_certmap_ctx,
+ const char *uri,
struct pam_data *pd);
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
struct cert_auth_info **cert_list);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 6e37f83..a22afd2 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
char *cert_verification_opts;
errno_t ret;
struct tevent_req *req;
+ char *uri = NULL;
ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
CONFDB_PAM_P11_CHILD_TIMEOUT,
@@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx,
return ret;
}
+ ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_P11_URI, NULL, &uri);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read certificate_verification from confdb: [%d]: %s\n",
+ ret, sss_strerror(ret));
+ return ret;
+ }
+
req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd,
pctx->nss_db, p11_child_timeout,
cert_verification_opts, pctx->sss_certmap_ctx,
- pd);
+ uri, pd);
if (req == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n");
return ENOMEM;
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 8b8859d..491bd2b 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
time_t timeout,
const char *verify_opts,
struct sss_certmap_ctx *sss_certmap_ctx,
+ const char *uri,
struct pam_data *pd)
{
errno_t ret;
@@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
struct timeval tv;
int pipefd_to_child[2] = PIPE_INIT;
int pipefd_from_child[2] = PIPE_INIT;
- const char *extra_args[14] = { NULL };
+ const char *extra_args[16] = { NULL };
uint8_t *write_buf = NULL;
size_t write_buf_len = 0;
size_t arg_c;
@@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
/* extra_args are added in revers order */
arg_c = 0;
+ if (uri != NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);
+ extra_args[arg_c++] = uri;
+ extra_args[arg_c++] = "--uri";
+ }
+
if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
extra_args[arg_c++] = "--wait_for_card";
}
--
2.9.5