sssd/SOURCES/0012-pam_sss-prefer-Smartcard-authentication.patch

From d06b4a3eda612d1a54b6bdb3c3b779543bc23b0f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 20 Mar 2024 11:26:16 +0100
Subject: [PATCH 12/12] pam_sss: prefer Smartcard authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The current behavior is that Smartcard authentication is preferred if
possible, i.e. if a Smartcard is present. Since the Smartcard (or
equivalent) must be inserted manually the assumption is that if the user
has inserted it they most probably want to use it for authentication.

With the latest patches pam_sss might receive multiple available
authentication methods. With this patch the checks for available
authentication types start Smartcard authentication to mimic the
existing behavior.

Resolves: https://github.com/SSSD/sssd/issues/7152

Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 0d5e8f11714e8e6cc0ad28e03fecf0f5732528b3)
---
 src/sss_client/pam_sss.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index a1c353604..41a528dda 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2544,17 +2544,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         } else if (pi->pc != NULL) {
             ret = prompt_by_config(pamh, pi);
         } else {
-            if (flags & PAM_CLI_FLAGS_USE_2FA
-                    || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-                            && pi->otp_challenge != NULL)) {
-                if (pi->password_prompting) {
-                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                                     _("Second Factor (optional): "));
-                } else {
-                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                                     _("Second Factor: "));
-                }
-            } else if (pi->cert_list != NULL) {
+            if (pi->cert_list != NULL) {
                 if (pi->cert_list->next == NULL) {
                     /* Only one certificate */
                     pi->selected_cert = pi->cert_list;
@@ -2570,6 +2560,16 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                     || (pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
                /* Use pin prompt as fallback for gdm-smartcard */
                 ret = prompt_sc_pin(pamh, pi);
+            } else if (flags & PAM_CLI_FLAGS_USE_2FA
+                    || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
+                            && pi->otp_challenge != NULL)) {
+                if (pi->password_prompting) {
+                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                     _("Second Factor (optional): "));
+                } else {
+                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                     _("Second Factor: "));
+                }
             } else if (pi->passkey_prompt_pin) {
                 ret = prompt_passkey(pamh, pi,
                                      _("Insert your passkey device, then press ENTER."),
-- 
2.42.0