ea62250f41
Resolves: RHEL-28161 - Passkey cannot fall back to password
207 lines
7.8 KiB
Diff
207 lines
7.8 KiB
Diff
From 8d9ae754b50dffafef719ad3fa44e5dd1dde47b3 Mon Sep 17 00:00:00 2001
|
|
From: Justin Stephenson <jstephen@redhat.com>
|
|
Date: Fri, 1 Mar 2024 14:31:25 -0500
|
|
Subject: [PATCH 7/7] krb5: Add fallback password change support
|
|
|
|
handle password changes for IPA users with multiple auth types set
|
|
(passkey, password)
|
|
|
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
(cherry picked from commit 6c1272edf174eb4bdf236dc1ffd4287b71a43392)
|
|
---
|
|
src/krb5_plugin/passkey/passkey_clpreauth.c | 5 ++
|
|
src/providers/ipa/ipa_auth.c | 13 +++++
|
|
src/providers/krb5/krb5_auth.c | 12 +++++
|
|
src/providers/krb5/krb5_auth.h | 3 ++
|
|
src/providers/krb5/krb5_child.c | 5 ++
|
|
src/providers/krb5/krb5_child_handler.c | 53 +++++++++++++++++++++
|
|
src/responder/pam/pamsrv_cmd.c | 10 ++++
|
|
7 files changed, 101 insertions(+)
|
|
|
|
diff --git a/src/krb5_plugin/passkey/passkey_clpreauth.c b/src/krb5_plugin/passkey/passkey_clpreauth.c
|
|
index d2dfe6fe1..35b6a3fed 100644
|
|
--- a/src/krb5_plugin/passkey/passkey_clpreauth.c
|
|
+++ b/src/krb5_plugin/passkey/passkey_clpreauth.c
|
|
@@ -279,6 +279,11 @@ sss_passkeycl_process(krb5_context context,
|
|
goto done;
|
|
}
|
|
|
|
+ if (prompter == NULL) {
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
/* Get FAST armor key. */
|
|
as_key = cb->fast_armor(context, rock);
|
|
if (as_key == NULL) {
|
|
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
|
|
index 1d61a1052..e5e1bf30c 100644
|
|
--- a/src/providers/ipa/ipa_auth.c
|
|
+++ b/src/providers/ipa/ipa_auth.c
|
|
@@ -258,6 +258,19 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
|
|
if (dp_err != DP_ERR_OK) {
|
|
goto done;
|
|
}
|
|
+ if (state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM
|
|
+ && state->pd->pam_status == PAM_TRY_AGAIN) {
|
|
+ /* Reset this to fork a new krb5_child in handle_child_send() */
|
|
+ state->pd->child_pid = 0;
|
|
+ subreq = krb5_auth_queue_send(state, state->ev, state->be_ctx, state->pd,
|
|
+ state->auth_ctx->krb5_auth_ctx);
|
|
+ if (subreq == NULL) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ tevent_req_set_callback(subreq, ipa_pam_auth_handler_retry_done, req);
|
|
+ return;
|
|
+ }
|
|
|
|
if (state->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
&& state->pd->pam_status == PAM_CRED_ERR
|
|
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
index be34880b4..e34943b82 100644
|
|
--- a/src/providers/krb5/krb5_auth.c
|
|
+++ b/src/providers/krb5/krb5_auth.c
|
|
@@ -532,6 +532,18 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
|
|
ret = EOK;
|
|
goto done;
|
|
}
|
|
+
|
|
+ /* If krb5_child is still running from SSS_PAM_PREAUTH,
|
|
+ * terminate the waiting krb5_child and send the
|
|
+ * CHAUTHTOK_PRELIM request again */
|
|
+ if (pd->child_pid != 0) {
|
|
+ soft_terminate_krb5_child(state, pd, krb5_ctx);
|
|
+ state->pam_status = PAM_TRY_AGAIN;
|
|
+ state->dp_err = DP_ERR_OK;
|
|
+ ret = EOK;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
break;
|
|
case SSS_CMD_RENEW:
|
|
if (authtok_type != SSS_AUTHTOK_TYPE_CCFILE) {
|
|
diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h
|
|
index bbdbf61fc..783292bc0 100644
|
|
--- a/src/providers/krb5/krb5_auth.h
|
|
+++ b/src/providers/krb5/krb5_auth.h
|
|
@@ -135,6 +135,9 @@ errno_t init_renew_tgt(struct krb5_ctx *krb5_ctx, struct be_ctx *be_ctx,
|
|
errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile,
|
|
struct tgt_times *tgtt, struct pam_data *pd,
|
|
const char *upn);
|
|
+errno_t soft_terminate_krb5_child(TALLOC_CTX *mem_ctx,
|
|
+ struct pam_data *pd,
|
|
+ struct krb5_ctx *krb5_ctx);
|
|
|
|
/* krb5_access.c */
|
|
struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
|
|
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
index 26b0090b4..b8acae7d7 100644
|
|
--- a/src/providers/krb5/krb5_child.c
|
|
+++ b/src/providers/krb5/krb5_child.c
|
|
@@ -1259,6 +1259,11 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
|
|
} else if (strcmp(question_list[c], SSSD_IDP_OAUTH2_QUESTION) == 0) {
|
|
kerr = answer_idp_oauth2(ctx, kr, rctx);
|
|
} else if (strcmp(question_list[c], SSSD_PASSKEY_QUESTION) == 0) {
|
|
+ /* Skip answer_passkey for expired password changes, e.g. user with auth types
|
|
+ * passkey AND password set */
|
|
+ if (kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
|
|
+ continue;
|
|
+ }
|
|
kerr = answer_passkey(ctx, kr, rctx);
|
|
} else {
|
|
DEBUG(SSSDBG_MINOR_FAILURE, "Unknown question type [%s]\n", question_list[c]);
|
|
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
|
|
index 54088e4d6..cab84b37d 100644
|
|
--- a/src/providers/krb5/krb5_child_handler.c
|
|
+++ b/src/providers/krb5/krb5_child_handler.c
|
|
@@ -1020,3 +1020,56 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
|
|
*_res = res;
|
|
return EOK;
|
|
}
|
|
+
|
|
+/* Closes the write end of waiting krb5_child */
|
|
+errno_t soft_terminate_krb5_child(TALLOC_CTX *mem_ctx,
|
|
+ struct pam_data *pd,
|
|
+ struct krb5_ctx *krb5_ctx)
|
|
+{
|
|
+ char *io_key;
|
|
+ struct child_io_fds *io;
|
|
+ TALLOC_CTX *tmp_ctx;
|
|
+ int ret;
|
|
+
|
|
+ tmp_ctx = talloc_new(NULL);
|
|
+ if (tmp_ctx == NULL) {
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ if (pd->child_pid == 0) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "Expected waiting krb5_child.\n");
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ io_key = talloc_asprintf(tmp_ctx, "%d", pd->child_pid);
|
|
+ if (io_key == NULL) {
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ io = sss_ptr_hash_lookup(krb5_ctx->io_table, io_key,
|
|
+ struct child_io_fds);
|
|
+ if (io == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "PTR hash lookup failed.\n");
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if (io->write_to_child_fd != -1) {
|
|
+ ret = close(io->write_to_child_fd);
|
|
+ io->write_to_child_fd = -1;
|
|
+ if (ret != EOK) {
|
|
+ ret = errno;
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
+ "close failed [%d][%s].\n", ret, strerror(ret));
|
|
+ }
|
|
+ }
|
|
+
|
|
+ ret = EOK;
|
|
+done:
|
|
+ talloc_free(tmp_ctx);
|
|
+ return ret;
|
|
+}
|
|
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
index a7c181733..de408ced8 100644
|
|
--- a/src/responder/pam/pamsrv_cmd.c
|
|
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
@@ -1418,6 +1418,15 @@ void pam_reply(struct pam_auth_req *preq)
|
|
goto done;
|
|
}
|
|
|
|
+#if BUILD_PASSKEY
|
|
+ if(pd->cmd == SSS_PAM_AUTHENTICATE &&
|
|
+ pd->pam_status == PAM_NEW_AUTHTOK_REQD &&
|
|
+ sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY_REPLY) {
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "Passkey authentication reply, ignoring "
|
|
+ "new authtok required status\n");
|
|
+ pd->pam_status = PAM_SUCCESS;
|
|
+ }
|
|
+
|
|
/* Passkey auth user notification if no TGT is granted */
|
|
if (pd->cmd == SSS_PAM_AUTHENTICATE &&
|
|
pd->pam_status == PAM_SUCCESS &&
|
|
@@ -1429,6 +1438,7 @@ void pam_reply(struct pam_auth_req *preq)
|
|
"User [%s] logged in with local passkey authentication, single "
|
|
"sign on ticket is not obtained.\n", pd->user);
|
|
}
|
|
+#endif /* BUILD_PASSKEY */
|
|
|
|
/* Account expiration warning is printed for sshd. If pam_verbosity
|
|
* is equal or above PAM_VERBOSITY_INFO then all services are informed
|
|
--
|
|
2.42.0
|
|
|