sssd/SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch

From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 3 Jun 2020 20:36:54 +0200
Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard

The gdm-smartcard service is special since it is triggered by the
presence of a Smartcard and even in the case of an error it will
immediately try again. To break this loop we should ask for an user
input and asking for a PIN is most straight forward and would show the
same behavior as pam_pkcs11.

Additionally it does not make sense to fall back the a password prompt
for gdm-smartcard so also here a PIN prompt should be shown.

Resolves: https://github.com/SSSD/sssd/issues/5190

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
 src/sss_client/pam_sss.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 7e59f0487..093e53af5 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
     struct pam_message m[2] = { { 0 }, { 0 } };
     struct pam_response *resp = NULL;
     struct cert_auth_info *cai = pi->selected_cert;
+    struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
+                                        NULL, NULL, NULL, NULL, NULL };
 
-    if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
+    if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
+        cai = &empty_cai;
+    } else if (cai == NULL || cai->token_name == NULL
+                    || *cai->token_name == '\0') {
         return PAM_SYSTEM_ERR;
     }
 
@@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                     }
                 }
                 ret = prompt_sc_pin(pamh, pi);
+            } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {
+               /* Use pin prompt as fallback for gdm-smartcard */
+                ret = prompt_sc_pin(pamh, pi);
             } else {
                 ret = prompt_password(pamh, pi, _("Password: "));
             }
@@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 {
     int ret;
     int pam_status;
-    struct pam_items pi;
+    struct pam_items pi = { 0 };
     uint32_t flags = 0;
     const int *exp_data;
     int *pw_exp_data;
@@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                         /*
                          * Since we are only interested in the result message
                          * and will always use password authentication
-                         * as a fallback, errors can be ignored here.
+                         * as a fallback (except for gdm-smartcard),
+                         * errors can be ignored here.
                          */
                     }
                 }
@@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                                                  quiet_mode);
                     if (ret != PAM_SUCCESS) {
                         D(("check_login_token_name failed.\n"));
-                        return ret;
                     }
                 }
 
-- 
2.21.3