rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
sssd/0003-krb5-return-to-respond...

61 lines
2.6 KiB
Diff
Raw Blame History

From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 20:43:08 +0100
Subject: [PATCH] krb5: return to responder that pkinit is not available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.
Resolves https://pagure.io/SSSD/sssd/issue/3343
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/krb5/krb5_child.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -42,6 +42,10 @@
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
+#define IS_SC_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+
enum k5c_fast_opt {
K5C_FAST_NEVER,
K5C_FAST_TRY,
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
* pre-auth module is missing or no Smartcard is inserted and only
* pkinit is available KRB5_PREAUTH_FAILED is returned.
* ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
- * frontend that local authentication might be tried. */
+ * frontend that local authentication might be tried.
+ * Same is true if Smartcard credentials are given but only other
+ * authentication methods are available. */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
- && kr->password_prompting == false
- && kr->otp == false
- && kr->pkinit_prompting == false) {
+ && kr->pkinit_prompting == false
+ && (( kr->password_prompting == false
+ && kr->otp == false)
+ || ((kr->otp == true
+ || kr->password_prompting == true)
+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
return ERR_NO_AUTH_METHOD_AVAILABLE;
}
return kerr;
--
2.12.2
Reference in New Issue View Git Blame Copy Permalink