summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-11-07 18:28:29 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-12 11:09:26 +0100
commit6c7584a32899bf573f62cf8c3fb37410a8ec05bb (patch)
tree04a08d87f1113a292a326fc3a4ce73929c4bc609
parent891370856f6c797f959dab06b194e34102185d53 (diff)
downloadsssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.gz
sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.bz2
sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.zip
Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
-rw-r--r--src/providers/krb5/krb5_auth.c3
-rw-r--r--src/responder/pam/pamsrv_cmd.c29
-rw-r--r--src/util/auth_utils.h42
3 files changed, 56 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f2e00fac..a4bd631c 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -34,6 +34,7 @@
#include "util/util.h"
#include "util/find_uid.h"
+#include "util/auth_utils.h"
#include "db/sysdb.h"
#include "util/child_common.h"
#include "providers/krb5/krb5_auth.h"
@@ -1127,7 +1128,7 @@ static void krb5_pam_handler_cache_auth_step(struct tevent_req *req)
NULL);
if (ret != EOK) {
DEBUG(1, ("Offline authentication failed\n"));
- state->pam_status = PAM_SYSTEM_ERR;
+ state->pam_status = cached_login_pam_status(ret);
state->dp_err = DP_ERR_OK;
} else {
ret = add_user_to_delayed_online_authentication(krb5_ctx, pd,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index bb0d8db3..1702a0e9 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -23,6 +23,7 @@
#include <time.h>
#include "util/util.h"
#include "util/sss_selinux.h"
+#include "util/auth_utils.h"
#include "db/sysdb.h"
#include "confdb/confdb.h"
#include "responder/common/responder_packet.h"
@@ -716,8 +717,8 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
}
static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
-static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
- time_t expire_date, time_t delayed_until);
+static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
+ time_t expire_date, time_t delayed_until);
static void pam_reply(struct pam_auth_req *preq)
{
@@ -768,7 +769,7 @@ static void pam_reply(struct pam_auth_req *preq)
pctx->rctx->cdb, false,
&exp_date, &delay_until);
- pam_cache_auth_done(preq, ret, exp_date, delay_until);
+ pam_handle_cached_login(preq, ret, exp_date, delay_until);
return;
}
break;
@@ -913,18 +914,18 @@ done:
sss_cmd_done(cctx, preq);
}
-static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
- time_t expire_date, time_t delayed_until)
+static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
+ time_t expire_date, time_t delayed_until)
{
uint32_t resp_type;
size_t resp_len;
uint8_t *resp;
int64_t dummy;
- switch (ret) {
- case EOK:
- preq->pd->pam_status = PAM_SUCCESS;
+ preq->pd->pam_status = cached_login_pam_status(ret);
+ switch (preq->pd->pam_status) {
+ case PAM_SUCCESS:
resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH;
resp_len = sizeof(uint32_t) + sizeof(int64_t);
resp = talloc_size(preq->pd, resp_len);
@@ -941,14 +942,7 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
}
}
break;
- case ENOENT:
- preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
- break;
- case EINVAL:
- preq->pd->pam_status = PAM_AUTH_ERR;
- break;
- case EACCES:
- preq->pd->pam_status = PAM_PERM_DENIED;
+ case PAM_PERM_DENIED:
if (delayed_until >= 0) {
resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED;
resp_len = sizeof(uint32_t) + sizeof(int64_t);
@@ -968,7 +962,8 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
}
break;
default:
- preq->pd->pam_status = PAM_SYSTEM_ERR;
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("cached login returned: %d\n", preq->pd->pam_status));
}
pam_reply(preq);
diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h
new file mode 100644
index 00000000..e9e60a08
--- /dev/null
+++ b/src/util/auth_utils.h
@@ -0,0 +1,42 @@
+/*
+ SSSD
+
+ Authentication utility functions
+
+ Authors:
+ Jakub Hrozek <jhrozek@redhat.com>
+
+ Copyright (C) 2012 Red Hat
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <errno.h>
+#include <security/pam_appl.h>
+
+static inline int cached_login_pam_status(int auth_res)
+{
+ switch (auth_res) {
+ case EOK:
+ return PAM_SUCCESS;
+ case ENOENT:
+ return PAM_AUTHINFO_UNAVAIL;
+ case EINVAL:
+ return PAM_AUTH_ERR;
+ case EACCES:
+ return PAM_PERM_DENIED;
+ }
+
+ return PAM_SYSTEM_ERR;
+}