71 lines
3.2 KiB
Diff
71 lines
3.2 KiB
Diff
|
From d06b4a3eda612d1a54b6bdb3c3b779543bc23b0f Mon Sep 17 00:00:00 2001
|
||
|
From: Sumit Bose <sbose@redhat.com>
|
||
|
Date: Wed, 20 Mar 2024 11:26:16 +0100
|
||
|
Subject: [PATCH 12/12] pam_sss: prefer Smartcard authentication
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
The current behavior is that Smartcard authentication is preferred if
|
||
|
possible, i.e. if a Smartcard is present. Since the Smartcard (or
|
||
|
equivalent) must be inserted manually the assumption is that if the user
|
||
|
has inserted it they most probably want to use it for authentication.
|
||
|
|
||
|
With the latest patches pam_sss might receive multiple available
|
||
|
authentication methods. With this patch the checks for available
|
||
|
authentication types start Smartcard authentication to mimic the
|
||
|
existing behavior.
|
||
|
|
||
|
Resolves: https://github.com/SSSD/sssd/issues/7152
|
||
|
|
||
|
Reviewed-by: Alejandro López <allopez@redhat.com>
|
||
|
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||
|
(cherry picked from commit 0d5e8f11714e8e6cc0ad28e03fecf0f5732528b3)
|
||
|
---
|
||
|
src/sss_client/pam_sss.c | 22 +++++++++++-----------
|
||
|
1 file changed, 11 insertions(+), 11 deletions(-)
|
||
|
|
||
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
||
|
index a1c353604..41a528dda 100644
|
||
|
--- a/src/sss_client/pam_sss.c
|
||
|
+++ b/src/sss_client/pam_sss.c
|
||
|
@@ -2544,17 +2544,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||
|
} else if (pi->pc != NULL) {
|
||
|
ret = prompt_by_config(pamh, pi);
|
||
|
} else {
|
||
|
- if (flags & PAM_CLI_FLAGS_USE_2FA
|
||
|
- || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
||
|
- && pi->otp_challenge != NULL)) {
|
||
|
- if (pi->password_prompting) {
|
||
|
- ret = prompt_2fa(pamh, pi, _("First Factor: "),
|
||
|
- _("Second Factor (optional): "));
|
||
|
- } else {
|
||
|
- ret = prompt_2fa(pamh, pi, _("First Factor: "),
|
||
|
- _("Second Factor: "));
|
||
|
- }
|
||
|
- } else if (pi->cert_list != NULL) {
|
||
|
+ if (pi->cert_list != NULL) {
|
||
|
if (pi->cert_list->next == NULL) {
|
||
|
/* Only one certificate */
|
||
|
pi->selected_cert = pi->cert_list;
|
||
|
@@ -2570,6 +2560,16 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
||
|
|| (pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
|
||
|
/* Use pin prompt as fallback for gdm-smartcard */
|
||
|
ret = prompt_sc_pin(pamh, pi);
|
||
|
+ } else if (flags & PAM_CLI_FLAGS_USE_2FA
|
||
|
+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
||
|
+ && pi->otp_challenge != NULL)) {
|
||
|
+ if (pi->password_prompting) {
|
||
|
+ ret = prompt_2fa(pamh, pi, _("First Factor: "),
|
||
|
+ _("Second Factor (optional): "));
|
||
|
+ } else {
|
||
|
+ ret = prompt_2fa(pamh, pi, _("First Factor: "),
|
||
|
+ _("Second Factor: "));
|
||
|
+ }
|
||
|
} else if (pi->passkey_prompt_pin) {
|
||
|
ret = prompt_passkey(pamh, pi,
|
||
|
_("Insert your passkey device, then press ENTER."),
|
||
|
--
|
||
|
2.42.0
|
||
|
|