c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
101 lines
3.8 KiB
Diff
101 lines
3.8 KiB
Diff
From d3a18f06162b9585d2db936472b75fdbff37162d Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Mon, 17 Sep 2018 17:54:26 +0200
|
|
Subject: [PATCH 62/83] pam_sss: add try_cert_auth option
|
|
|
|
With this new option pam_sss can be configured to only do Smartcard
|
|
authentication or return an error if this is not possible.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/man/pam_sss.8.xml | 23 +++++++++++++++++++++++
|
|
src/sss_client/pam_sss.c | 9 +++++++++
|
|
src/sss_client/sss_cli.h | 1 +
|
|
3 files changed, 33 insertions(+)
|
|
|
|
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
|
|
index d8e6a20..ca2e8e2 100644
|
|
--- a/src/man/pam_sss.8.xml
|
|
+++ b/src/man/pam_sss.8.xml
|
|
@@ -50,6 +50,9 @@
|
|
<arg choice='opt'>
|
|
<replaceable>prompt_always</replaceable>
|
|
</arg>
|
|
+ <arg choice='opt'>
|
|
+ <replaceable>try_cert_auth</replaceable>
|
|
+ </arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
@@ -200,6 +203,26 @@ auth sufficient pam_sss.so allow_missing_name
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
+ <varlistentry>
|
|
+ <term>
|
|
+ <option>try_cert_auth</option>
|
|
+ </term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ Try to use certificate based authentication, i.e.
|
|
+ authentication with a Smartcard or similar devices. If a
|
|
+ Smartcard is available and the service is allowed for
|
|
+ Smartcard authentication the use will be prompted for a
|
|
+ PIN and the certificate based authentication will
|
|
+ continue
|
|
+ </para>
|
|
+ <para>
|
|
+ If no Smartcard is available or certificate based
|
|
+ authentication is not allowed for the current service
|
|
+ PAM_AUTHINFO_UNAVAIL is returned.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
index b336d1f..96ff15a 100644
|
|
--- a/src/sss_client/pam_sss.c
|
|
+++ b/src/sss_client/pam_sss.c
|
|
@@ -1997,6 +1997,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
*flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
|
|
} else if (strcmp(*argv, "prompt_always") == 0) {
|
|
*flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
|
+ } else if (strcmp(*argv, "try_cert_auth") == 0) {
|
|
+ *flags |= PAM_CLI_FLAGS_TRY_CERT_AUTH;
|
|
} else {
|
|
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
|
}
|
|
@@ -2405,6 +2407,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
}
|
|
}
|
|
|
|
+ if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
|
|
+ && pi.cert_list == NULL) {
|
|
+ D(("No certificates for authentication available."));
|
|
+ overwrite_and_free_pam_items(&pi);
|
|
+ return PAM_AUTHINFO_UNAVAIL;
|
|
+ }
|
|
+
|
|
if (strcmp(pi.pam_service, "gdm-smartcard") == 0) {
|
|
ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
if (ret != PAM_SUCCESS) {
|
|
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
index 3404715..38e3f99 100644
|
|
--- a/src/sss_client/sss_cli.h
|
|
+++ b/src/sss_client/sss_cli.h
|
|
@@ -373,6 +373,7 @@ enum pam_item_type {
|
|
#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
|
|
#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
+#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
|
|
|
|
#define SSS_NSS_MAX_ENTRIES 256
|
|
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
|
--
|
|
2.9.5
|
|
|