diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-07 18:28:29 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-12 11:09:26 +0100 |
commit | 6c7584a32899bf573f62cf8c3fb37410a8ec05bb (patch) | |
tree | 04a08d87f1113a292a326fc3a4ce73929c4bc609 | |
parent | 891370856f6c797f959dab06b194e34102185d53 (diff) | |
download | sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.gz sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.bz2 sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.zip |
Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 3 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 29 | ||||
-rw-r--r-- | src/util/auth_utils.h | 42 |
3 files changed, 56 insertions, 18 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index f2e00fac..a4bd631c 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -34,6 +34,7 @@ #include "util/util.h" #include "util/find_uid.h" +#include "util/auth_utils.h" #include "db/sysdb.h" #include "util/child_common.h" #include "providers/krb5/krb5_auth.h" @@ -1127,7 +1128,7 @@ static void krb5_pam_handler_cache_auth_step(struct tevent_req *req) NULL); if (ret != EOK) { DEBUG(1, ("Offline authentication failed\n")); - state->pam_status = PAM_SYSTEM_ERR; + state->pam_status = cached_login_pam_status(ret); state->dp_err = DP_ERR_OK; } else { ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index bb0d8db3..1702a0e9 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -23,6 +23,7 @@ #include <time.h> #include "util/util.h" #include "util/sss_selinux.h" +#include "util/auth_utils.h" #include "db/sysdb.h" #include "confdb/confdb.h" #include "responder/common/responder_packet.h" @@ -716,8 +717,8 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, } static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); -static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, - time_t expire_date, time_t delayed_until); +static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, + time_t expire_date, time_t delayed_until); static void pam_reply(struct pam_auth_req *preq) { @@ -768,7 +769,7 @@ static void pam_reply(struct pam_auth_req *preq) pctx->rctx->cdb, false, &exp_date, &delay_until); - pam_cache_auth_done(preq, ret, exp_date, delay_until); + pam_handle_cached_login(preq, ret, exp_date, delay_until); return; } break; @@ -913,18 +914,18 @@ done: sss_cmd_done(cctx, preq); } -static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, - time_t expire_date, time_t delayed_until) +static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, + time_t expire_date, time_t delayed_until) { uint32_t resp_type; size_t resp_len; uint8_t *resp; int64_t dummy; - switch (ret) { - case EOK: - preq->pd->pam_status = PAM_SUCCESS; + preq->pd->pam_status = cached_login_pam_status(ret); + switch (preq->pd->pam_status) { + case PAM_SUCCESS: resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; resp_len = sizeof(uint32_t) + sizeof(int64_t); resp = talloc_size(preq->pd, resp_len); @@ -941,14 +942,7 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, } } break; - case ENOENT: - preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; - break; - case EINVAL: - preq->pd->pam_status = PAM_AUTH_ERR; - break; - case EACCES: - preq->pd->pam_status = PAM_PERM_DENIED; + case PAM_PERM_DENIED: if (delayed_until >= 0) { resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED; resp_len = sizeof(uint32_t) + sizeof(int64_t); @@ -968,7 +962,8 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, } break; default: - preq->pd->pam_status = PAM_SYSTEM_ERR; + DEBUG(SSSDBG_TRACE_LIBS, + ("cached login returned: %d\n", preq->pd->pam_status)); } pam_reply(preq); diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h new file mode 100644 index 00000000..e9e60a08 --- /dev/null +++ b/src/util/auth_utils.h @@ -0,0 +1,42 @@ +/* + SSSD + + Authentication utility functions + + Authors: + Jakub Hrozek <jhrozek@redhat.com> + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <errno.h> +#include <security/pam_appl.h> + +static inline int cached_login_pam_status(int auth_res) +{ + switch (auth_res) { + case EOK: + return PAM_SUCCESS; + case ENOENT: + return PAM_AUTHINFO_UNAVAIL; + case EINVAL: + return PAM_AUTH_ERR; + case EACCES: + return PAM_PERM_DENIED; + } + + return PAM_SYSTEM_ERR; +} |