summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-04-21 10:46:01 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-04-26 09:55:00 -0400
commitb843b55b1565176d9f27554d89e5e041b34c0dcf (patch)
tree702ed12756033e23233efa1a194f4524ab8d44f9
parent5b680ac8ef46fc1714f2ab59a07f68ac386ad89b (diff)
downloadsssd-b843b55b1565176d9f27554d89e5e041b34c0dcf.tar.gz
sssd-b843b55b1565176d9f27554d89e5e041b34c0dcf.tar.bz2
sssd-b843b55b1565176d9f27554d89e5e041b34c0dcf.zip
Unset authentication tokens if password change fails
-rw-r--r--src/sss_client/pam_sss.c79
1 files changed, 52 insertions, 27 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 4208faa6..77dec19c 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1201,37 +1201,62 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = send_and_receive(pamh, &pi, task);
-/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
- * authentication, see sss_cli.h for details */
- if (ret == PAM_NEW_AUTHTOK_REQD && task == SSS_PAM_AUTHENTICATE) {
- D(("Authtoken expired, trying to change it"));
-
- exp_data = malloc(sizeof(int));
- if (exp_data == NULL) {
- D(("malloc failed."));
- return PAM_BUF_ERR;
- }
- *exp_data = 1;
- ret = pam_set_data(pamh, PWEXP_FLAG, exp_data, free_exp_data);
- if (ret != PAM_SUCCESS) {
- D(("pam_set_data failed."));
- return ret;
- }
-
- return PAM_SUCCESS;
- }
+ switch (task) {
+ case SSS_PAM_AUTHENTICATE:
+ /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
+ * authentication, see sss_cli.h for details */
+ if (ret == PAM_NEW_AUTHTOK_REQD) {
+ D(("Authtoken expired, trying to change it"));
+
+ exp_data = malloc(sizeof(int));
+ if (exp_data == NULL) {
+ D(("malloc failed."));
+ return PAM_BUF_ERR;
+ }
+ *exp_data = 1;
+ ret = pam_set_data(pamh, PWEXP_FLAG, exp_data, free_exp_data);
+ if (ret != PAM_SUCCESS) {
+ D(("pam_set_data failed."));
+ return ret;
+ }
- if (ret == PAM_SUCCESS && task == SSS_PAM_ACCT_MGMT &&
- pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) ==
+ return PAM_SUCCESS;
+ }
+ break;
+ case SSS_PAM_ACCT_MGMT:
+ if (ret == PAM_SUCCESS &&
+ pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) ==
PAM_SUCCESS) {
- ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
- _("Password expired. Change your password now."), NULL, NULL);
- if (ret != PAM_SUCCESS) {
- D(("do_pam_conversation failed."));
- }
- return PAM_NEW_AUTHTOK_REQD;
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
+ _("Password expired. Change your password now."),
+ NULL, NULL);
+ if (ret != PAM_SUCCESS) {
+ D(("do_pam_conversation failed."));
+ }
+ return PAM_NEW_AUTHTOK_REQD;
+ }
+ break;
+ case SSS_PAM_CHAUTHTOK:
+ if (ret != PAM_SUCCESS && ret != PAM_USER_UNKNOWN) {
+ ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
+ if (ret != PAM_SUCCESS) {
+ D(("Failed to unset PAM_AUTHTOK [%s]",
+ pam_strerror(pamh,ret)));
+ }
+ ret = pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
+ if (ret != PAM_SUCCESS) {
+ D(("Failed to unset PAM_OLDAUTHTOK [%s]",
+ pam_strerror(pamh,ret)));
+ }
+ }
+ break;
+ default:
+ /* nothing to do */
+ break;
}
+
+
overwrite_and_free_authtoks(&pi);
return ret;