c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
371 lines
14 KiB
Diff
371 lines
14 KiB
Diff
From 49be8974b490c368d349752f3196af0c9ed28dd5 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Tue, 18 Sep 2018 09:53:37 +0200
|
|
Subject: [PATCH 63/83] pam_sss: add option require_cert_auth
|
|
|
|
With this new option pam_sss will wait until a Smartcard is available
|
|
and then try to authenticate with the help of the Smartcard.
|
|
|
|
Related https://pagure.io/SSSD/sssd/issue/3650
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/man/pam_sss.8.xml | 25 ++++++++++++
|
|
src/responder/pam/pamsrv_cmd.c | 12 ++++++
|
|
src/responder/pam/pamsrv_p11.c | 5 ++-
|
|
src/sss_client/pam_message.c | 4 ++
|
|
src/sss_client/pam_message.h | 1 +
|
|
src/sss_client/pam_sss.c | 90 ++++++++++++++++++++++++++----------------
|
|
src/sss_client/sss_cli.h | 2 +
|
|
src/util/sss_pam_data.c | 1 +
|
|
src/util/sss_pam_data.h | 1 +
|
|
9 files changed, 106 insertions(+), 35 deletions(-)
|
|
|
|
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
|
|
index ca2e8e2..9998519 100644
|
|
--- a/src/man/pam_sss.8.xml
|
|
+++ b/src/man/pam_sss.8.xml
|
|
@@ -53,6 +53,9 @@
|
|
<arg choice='opt'>
|
|
<replaceable>try_cert_auth</replaceable>
|
|
</arg>
|
|
+ <arg choice='opt'>
|
|
+ <replaceable>require_cert_auth</replaceable>
|
|
+ </arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
@@ -223,6 +226,28 @@ auth sufficient pam_sss.so allow_missing_name
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
+ <varlistentry>
|
|
+ <term>
|
|
+ <option>require_cert_auth</option>
|
|
+ </term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Do certificate based authentication, i.e.
|
|
+ authentication with a Smartcard or similar devices. If a
|
|
+ Smartcard is not available the user will be prompted to
|
|
+ insert one. SSSD will wait for a Smartcard until the
|
|
+ timeout defined by p11_wait_for_card_timeout passed,
|
|
+ please see
|
|
+ <citerefentry><refentrytitle>sssd.conf</refentrytitle>
|
|
+ <manvolnum>5</manvolnum></citerefentry> for details.
|
|
+ </para>
|
|
+ <para>
|
|
+ If no Smartcard is available after the timeout or
|
|
+ certificate based authentication is not allowed for the
|
|
+ current service PAM_AUTHINFO_UNAVAIL is returned.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
index c8df32d..6e37f83 100644
|
|
--- a/src/responder/pam/pamsrv_cmd.c
|
|
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
@@ -317,6 +317,11 @@ static int pam_parse_in_data_v2(struct pam_data *pd,
|
|
size, body, blen, &c);
|
|
if (ret != EOK) return ret;
|
|
break;
|
|
+ case SSS_PAM_ITEM_FLAGS:
|
|
+ ret = extract_uint32_t(&pd->cli_flags, size,
|
|
+ body, blen, &c);
|
|
+ if (ret != EOK) return ret;
|
|
+ break;
|
|
default:
|
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
"Ignoring unknown data type [%d].\n", type);
|
|
@@ -1447,6 +1452,13 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
|
|
"No certificate found and no logon name given, " \
|
|
"authentication not possible.\n");
|
|
ret = ENOENT;
|
|
+ } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
|
|
+ DEBUG(SSSDBG_TRACE_ALL,
|
|
+ "try_cert_auth flag set but no certificate available, "
|
|
+ "request finished.\n");
|
|
+ preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
|
|
+ pam_reply(preq);
|
|
+ return;
|
|
} else {
|
|
if (pd->cmd == SSS_PAM_AUTHENTICATE) {
|
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
index ffa6787..8b8859d 100644
|
|
--- a/src/responder/pam/pamsrv_p11.c
|
|
+++ b/src/responder/pam/pamsrv_p11.c
|
|
@@ -721,7 +721,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
struct timeval tv;
|
|
int pipefd_to_child[2] = PIPE_INIT;
|
|
int pipefd_from_child[2] = PIPE_INIT;
|
|
- const char *extra_args[13] = { NULL };
|
|
+ const char *extra_args[14] = { NULL };
|
|
uint8_t *write_buf = NULL;
|
|
size_t write_buf_len = 0;
|
|
size_t arg_c;
|
|
@@ -748,6 +748,9 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
|
|
/* extra_args are added in revers order */
|
|
arg_c = 0;
|
|
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
|
+ extra_args[arg_c++] = "--wait_for_card";
|
|
+ }
|
|
extra_args[arg_c++] = nss_db;
|
|
extra_args[arg_c++] = "--nssdb";
|
|
if (verify_opts != NULL) {
|
|
diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c
|
|
index b239f6f..036ae2a 100644
|
|
--- a/src/sss_client/pam_message.c
|
|
+++ b/src/sss_client/pam_message.c
|
|
@@ -126,6 +126,7 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
|
len += 3*sizeof(uint32_t); /* cli_pid */
|
|
len += *pi->requested_domains != '\0' ?
|
|
2*sizeof(uint32_t) + pi->requested_domains_size : 0;
|
|
+ len += 3*sizeof(uint32_t); /* flags */
|
|
|
|
buf = malloc(len);
|
|
if (buf == NULL) {
|
|
@@ -164,6 +165,9 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
|
|
pi->pam_newauthtok, pi->pam_newauthtok_size,
|
|
&buf[rp]);
|
|
|
|
+ rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
|
|
+ &buf[rp]);
|
|
+
|
|
SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);
|
|
|
|
if (rp != len) {
|
|
diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h
|
|
index 11526a8..50fedcd 100644
|
|
--- a/src/sss_client/pam_message.h
|
|
+++ b/src/sss_client/pam_message.h
|
|
@@ -51,6 +51,7 @@ struct pam_items {
|
|
enum sss_authtok_type pam_newauthtok_type;
|
|
size_t pam_newauthtok_size;
|
|
pid_t cli_pid;
|
|
+ uint32_t flags;
|
|
const char *login_name;
|
|
char *domain_name;
|
|
const char *requested_domains;
|
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
index 96ff15a..b4c1036 100644
|
|
--- a/src/sss_client/pam_sss.c
|
|
+++ b/src/sss_client/pam_sss.c
|
|
@@ -134,6 +134,7 @@ static void free_cai(struct cert_auth_info *cai)
|
|
free(cai->cert_user);
|
|
free(cai->cert);
|
|
free(cai->token_name);
|
|
+ free(cai->module_name);
|
|
free(cai->key_id);
|
|
free(cai->prompt_str);
|
|
free(cai);
|
|
@@ -1247,6 +1248,8 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
|
pi->cert_list = NULL;
|
|
pi->selected_cert = NULL;
|
|
|
|
+ pi->flags = flags;
|
|
+
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
@@ -1267,6 +1270,7 @@ static void print_pam_items(struct pam_items *pi)
|
|
D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
|
|
D(("Cli_PID: %d", pi->cli_pid));
|
|
D(("Requested domains: %s", pi->requested_domains));
|
|
+ D(("Flags: %d", pi->flags));
|
|
}
|
|
|
|
static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
|
|
@@ -1999,6 +2003,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
|
} else if (strcmp(*argv, "try_cert_auth") == 0) {
|
|
*flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
|
+ } else if (strcmp(*argv, "require_cert_auth") == 0) {
|
|
+ *flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
|
} else {
|
|
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
|
}
|
|
@@ -2274,55 +2280,51 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
-#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter"
|
|
+#define SC_ENTER_LABEL_FMT "Please enter smart card labeled\n %s"
|
|
+#define SC_ENTER_FMT "Please enter smart card"
|
|
|
|
static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
- bool quiet_mode)
|
|
+ int retries, bool quiet_mode)
|
|
{
|
|
int ret;
|
|
int pam_status;
|
|
char *login_token_name;
|
|
char *prompt = NULL;
|
|
- size_t size;
|
|
- char *answer = NULL;
|
|
- /* TODO: check multiple cert case */
|
|
- struct cert_auth_info *cai = pi->cert_list;
|
|
+ uint32_t orig_flags = pi->flags;
|
|
|
|
- if (cai == NULL) {
|
|
- D(("No certificate information available"));
|
|
- return EINVAL;
|
|
+ login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
|
+ if (login_token_name == NULL
|
|
+ && !(pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
|
+ return PAM_SUCCESS;
|
|
}
|
|
|
|
- login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
|
|
if (login_token_name == NULL) {
|
|
- return PAM_SUCCESS;
|
|
+ ret = asprintf(&prompt, SC_ENTER_FMT);
|
|
+ } else {
|
|
+ ret = asprintf(&prompt, SC_ENTER_LABEL_FMT, login_token_name);
|
|
+ }
|
|
+ if (ret == -1) {
|
|
+ return ENOMEM;
|
|
}
|
|
|
|
- while (cai->token_name == NULL
|
|
- || strcmp(login_token_name, cai->token_name) != 0) {
|
|
- size = sizeof(SC_ENTER_FMT) + strlen(login_token_name);
|
|
- prompt = malloc(size);
|
|
- if (prompt == NULL) {
|
|
- D(("malloc failed."));
|
|
- return ENOMEM;
|
|
- }
|
|
+ pi->flags |= PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
|
|
|
- ret = snprintf(prompt, size, SC_ENTER_FMT,
|
|
- login_token_name);
|
|
- if (ret < 0 || ret >= size) {
|
|
- D(("snprintf failed."));
|
|
- free(prompt);
|
|
- return EFAULT;
|
|
+ /* TODO: check multiple cert case */
|
|
+ while (pi->cert_list == NULL || pi->cert_list->token_name == NULL
|
|
+ || (login_token_name != NULL
|
|
+ && strcmp(login_token_name,
|
|
+ pi->cert_list->token_name) != 0)) {
|
|
+
|
|
+ if (retries < 0) {
|
|
+ ret = PAM_AUTHINFO_UNAVAIL;
|
|
+ goto done;
|
|
}
|
|
+ retries--;
|
|
|
|
- ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt,
|
|
- NULL, &answer);
|
|
- free(prompt);
|
|
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL);
|
|
if (ret != PAM_SUCCESS) {
|
|
D(("do_pam_conversation failed."));
|
|
- return ret;
|
|
- } else {
|
|
- free(answer);
|
|
+ goto done;
|
|
}
|
|
|
|
pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode);
|
|
@@ -2335,7 +2337,14 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
|
|
}
|
|
}
|
|
|
|
- return PAM_SUCCESS;
|
|
+ ret = PAM_SUCCESS;
|
|
+
|
|
+done:
|
|
+
|
|
+ pi->flags = orig_flags;
|
|
+ free(prompt);
|
|
+
|
|
+ return ret;
|
|
}
|
|
|
|
static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
@@ -2394,8 +2403,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
&& (pi.pam_authtok == NULL
|
|
|| (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
|
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
|
+
|
|
+ if (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) {
|
|
+ /* Do not use PAM_CLI_FLAGS_REQUIRE_CERT_AUTH in the first
|
|
+ * SSS_PAM_PREAUTH run. In case a card is already inserted
|
|
+ * we do not have to prompt to insert a card. */
|
|
+ pi.flags &= ~PAM_CLI_FLAGS_REQUIRE_CERT_AUTH;
|
|
+ pi.flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
|
+ }
|
|
+
|
|
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
|
quiet_mode);
|
|
+
|
|
+ pi.flags = flags;
|
|
if (pam_status != PAM_SUCCESS) {
|
|
D(("send_and_receive returned [%d] during pre-auth",
|
|
pam_status));
|
|
@@ -2414,8 +2434,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
}
|
|
|
|
- if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
|
- ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
+ if (strcmp(pi.pam_service, "gdm-smartcard") == 0
|
|
+ || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
|
+ ret = check_login_token_name(pamh, &pi, retries,
|
|
+ quiet_mode);
|
|
if (ret != PAM_SUCCESS) {
|
|
D(("check_login_token_name failed.\n"));
|
|
return ret;
|
|
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
index 38e3f99..af8a439 100644
|
|
--- a/src/sss_client/sss_cli.h
|
|
+++ b/src/sss_client/sss_cli.h
|
|
@@ -363,6 +363,7 @@ enum pam_item_type {
|
|
SSS_PAM_ITEM_CLI_LOCALE,
|
|
SSS_PAM_ITEM_CLI_PID,
|
|
SSS_PAM_ITEM_REQUESTED_DOMAINS,
|
|
+ SSS_PAM_ITEM_FLAGS,
|
|
};
|
|
|
|
#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
|
|
@@ -374,6 +375,7 @@ enum pam_item_type {
|
|
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
|
|
+#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
|
|
|
|
#define SSS_NSS_MAX_ENTRIES 256
|
|
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
|
diff --git a/src/util/sss_pam_data.c b/src/util/sss_pam_data.c
|
|
index 5e41349..cb8779c 100644
|
|
--- a/src/util/sss_pam_data.c
|
|
+++ b/src/util/sss_pam_data.c
|
|
@@ -176,6 +176,7 @@ void pam_print_data(int l, struct pam_data *pd)
|
|
DEBUG(l, "priv: %d\n", pd->priv);
|
|
DEBUG(l, "cli_pid: %d\n", pd->cli_pid);
|
|
DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name));
|
|
+ DEBUG(l, "flags: %d\n", pd->cli_flags);
|
|
}
|
|
|
|
int pam_add_response(struct pam_data *pd, enum response_type type,
|
|
diff --git a/src/util/sss_pam_data.h b/src/util/sss_pam_data.h
|
|
index 7d74fa6..c989810 100644
|
|
--- a/src/util/sss_pam_data.h
|
|
+++ b/src/util/sss_pam_data.h
|
|
@@ -58,6 +58,7 @@ struct pam_data {
|
|
struct sss_auth_token *newauthtok;
|
|
uint32_t cli_pid;
|
|
char *logon_name;
|
|
+ uint32_t cli_flags;
|
|
|
|
int pam_status;
|
|
int response_delay;
|
|
--
|
|
2.9.5
|
|
|