diff --git a/0013-pam-fix-storing-auth-types-for-offline-auth.patch b/0013-pam-fix-storing-auth-types-for-offline-auth.patch new file mode 100644 index 0000000..e9220d5 --- /dev/null +++ b/0013-pam-fix-storing-auth-types-for-offline-auth.patch @@ -0,0 +1,57 @@ +From 163db8465e815984abac0ba9af097589045791da Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 22 Mar 2024 19:53:29 +0100 +Subject: [PATCH] pam: fix storing auth types for offline auth + +Before the recent patches which allow krb5_child to iterate over all +available authentication methods typically only one method was returned. +E.g. is Smartcard authentication (pkinit) was possible it was typically +the first method the in question list and the result of the +answer_pkinit() function was immediately returned. As a result only the +Smartcard authentication type was set and a missing password +authentication type while others were present might have been a +reasonable indicator for the online state. + +With the recent patches, all available methods, including password +authentication if available, are return and a new indicator is needed. +--- + src/responder/pam/pamsrv.h | 1 + + src/responder/pam/pamsrv_cmd.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h +index 618836189..2aa14ae02 100644 +--- a/src/responder/pam/pamsrv.h ++++ b/src/responder/pam/pamsrv.h +@@ -114,6 +114,7 @@ struct pam_resp_auth_type { + bool otp_auth; + bool cert_auth; + bool passkey_auth; ++ bool backend_returned_no_auth_type; + }; + + struct sss_cmd_table *get_pam_cmds(void); +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 13ba13131..94895d48e 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -915,6 +915,7 @@ errno_t pam_get_auth_types(struct pam_data *pd, + /* If the backend cannot determine which authentication types are + * available the default would be to prompt for a password. */ + types.password_auth = true; ++ types.backend_returned_no_auth_type = true; + } + + DEBUG(SSSDBG_TRACE_ALL, "Authentication types for user [%s] and service " +@@ -1002,7 +1003,7 @@ static errno_t pam_eval_local_auth_policy(TALLOC_CTX *mem_ctx, + } + + /* Store the local auth types, in case we go offline */ +- if (!auth_types.password_auth) { ++ if (!auth_types.backend_returned_no_auth_type) { + ret = set_local_auth_type(preq, sc_allow, passkey_allow); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, +-- +2.42.0 + diff --git a/sssd.spec b/sssd.spec index c420a5c..3952e17 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.9.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -46,6 +46,7 @@ Patch0009: 0009-krb5-add-OTP-to-krb5-response-selection.patch Patch0010: 0010-krb5-make-sure-answer_pkinit-use-matching-debug-mess.patch Patch0011: 0011-krb5-make-prompter-and-pre-auth-debug-message-less-i.patch Patch0012: 0012-pam_sss-prefer-Smartcard-authentication.patch +Patch0013: 0013-pam-fix-storing-auth-types-for-offline-auth.patch ### Dependencies ### @@ -1095,6 +1096,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Mar 25 2024 Alexey Tikhonov - 2.9.4-5 +- Resolves: RHEL-28161 - Passkey cannot fall back to password + * Thu Mar 21 2024 Alexey Tikhonov - 2.9.4-4 - Resolves: RHEL-28161 - Passkey cannot fall back to password