diff options
author | Sumit Bose <sbose@redhat.com> | 2010-04-21 10:46:01 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2010-04-26 09:55:00 -0400 |
commit | b843b55b1565176d9f27554d89e5e041b34c0dcf (patch) | |
tree | 702ed12756033e23233efa1a194f4524ab8d44f9 | |
parent | 5b680ac8ef46fc1714f2ab59a07f68ac386ad89b (diff) | |
download | sssd-b843b55b1565176d9f27554d89e5e041b34c0dcf.tar.gz sssd-b843b55b1565176d9f27554d89e5e041b34c0dcf.tar.bz2 sssd-b843b55b1565176d9f27554d89e5e041b34c0dcf.zip |
Unset authentication tokens if password change fails
-rw-r--r-- | src/sss_client/pam_sss.c | 79 |
1 files changed, 52 insertions, 27 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 4208faa6..77dec19c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1201,37 +1201,62 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, ret = send_and_receive(pamh, &pi, task); -/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during - * authentication, see sss_cli.h for details */ - if (ret == PAM_NEW_AUTHTOK_REQD && task == SSS_PAM_AUTHENTICATE) { - D(("Authtoken expired, trying to change it")); - - exp_data = malloc(sizeof(int)); - if (exp_data == NULL) { - D(("malloc failed.")); - return PAM_BUF_ERR; - } - *exp_data = 1; - ret = pam_set_data(pamh, PWEXP_FLAG, exp_data, free_exp_data); - if (ret != PAM_SUCCESS) { - D(("pam_set_data failed.")); - return ret; - } - - return PAM_SUCCESS; - } + switch (task) { + case SSS_PAM_AUTHENTICATE: + /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during + * authentication, see sss_cli.h for details */ + if (ret == PAM_NEW_AUTHTOK_REQD) { + D(("Authtoken expired, trying to change it")); + + exp_data = malloc(sizeof(int)); + if (exp_data == NULL) { + D(("malloc failed.")); + return PAM_BUF_ERR; + } + *exp_data = 1; + ret = pam_set_data(pamh, PWEXP_FLAG, exp_data, free_exp_data); + if (ret != PAM_SUCCESS) { + D(("pam_set_data failed.")); + return ret; + } - if (ret == PAM_SUCCESS && task == SSS_PAM_ACCT_MGMT && - pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) == + return PAM_SUCCESS; + } + break; + case SSS_PAM_ACCT_MGMT: + if (ret == PAM_SUCCESS && + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) == PAM_SUCCESS) { - ret = do_pam_conversation(pamh, PAM_TEXT_INFO, - _("Password expired. Change your password now."), NULL, NULL); - if (ret != PAM_SUCCESS) { - D(("do_pam_conversation failed.")); - } - return PAM_NEW_AUTHTOK_REQD; + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("Password expired. Change your password now."), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + } + return PAM_NEW_AUTHTOK_REQD; + } + break; + case SSS_PAM_CHAUTHTOK: + if (ret != PAM_SUCCESS && ret != PAM_USER_UNKNOWN) { + ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to unset PAM_AUTHTOK [%s]", + pam_strerror(pamh,ret))); + } + ret = pam_set_item(pamh, PAM_OLDAUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to unset PAM_OLDAUTHTOK [%s]", + pam_strerror(pamh,ret))); + } + } + break; + default: + /* nothing to do */ + break; } + + overwrite_and_free_authtoks(&pi); return ret; |