summaryrefslogtreecommitdiff
path: root/src/responder/pam
diff options
context:
space:
mode:
authorSimo Sorce <simo@redhat.com>2012-10-18 12:49:38 -0400
committerSimo Sorce <simo@redhat.com>2013-01-10 12:24:59 -0500
commitc83e409297711e6012a164cc929c758a3f38e9b9 (patch)
tree42930e80d13d5bbe26e12891499677db0e26c8e6 /src/responder/pam
parent4c2cf6607ddc82c5061d805c11e163de4bc1bd82 (diff)
downloadsssd-c83e409297711e6012a164cc929c758a3f38e9b9.tar.gz
sssd-c83e409297711e6012a164cc929c758a3f38e9b9.tar.bz2
sssd-c83e409297711e6012a164cc929c758a3f38e9b9.zip
Code can only check for cached passwords
Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
Diffstat (limited to 'src/responder/pam')
-rw-r--r--src/responder/pam/pamsrv_cmd.c39
1 files changed, 24 insertions, 15 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 42696422..ed7438f8 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -733,7 +733,6 @@ static void pam_reply(struct pam_auth_req *preq)
struct timeval tv;
struct tevent_timer *te;
struct pam_data *pd;
- struct sysdb_ctx *sysdb;
struct pam_ctx *pctx;
uint32_t user_info_type;
time_t exp_date = -1;
@@ -753,24 +752,34 @@ static void pam_reply(struct pam_auth_req *preq)
if ((preq->domain != NULL) &&
(preq->domain->cache_credentials == true) &&
(pd->offline_auth == false)) {
+ const char *password = NULL;
- /* do auth with offline credentials */
- pd->offline_auth = true;
+ /* do auth with offline credentials */
+ pd->offline_auth = true;
- sysdb = preq->domain->sysdb;
- if (sysdb == NULL) {
- DEBUG(0, ("Fatal: Sysdb CTX not found for "
- "domain [%s]!\n", preq->domain->name));
- goto done;
- }
+ if (preq->domain->sysdb == NULL) {
+ DEBUG(0, ("Fatal: Sysdb CTX not found for domain"
+ " [%s]!\n", preq->domain->name));
+ goto done;
+ }
- ret = sysdb_cache_auth(sysdb, pd->user,
- pd->authtok, pd->authtok_size,
- pctx->rctx->cdb, false,
- &exp_date, &delay_until);
+ password = talloc_strndup(preq, pd->authtok, pd->authtok_size);
+ if (!password) {
+ DEBUG(0, ("Fatal: Out of memory copying password\n"));
+ goto done;
+ }
- pam_handle_cached_login(preq, ret, exp_date, delay_until);
- return;
+ ret = sysdb_cache_auth(preq->domain->sysdb,
+ pd->user, password,
+ pctx->rctx->cdb, false,
+ &exp_date, &delay_until);
+
+ pam_handle_cached_login(preq, ret, exp_date, delay_until);
+ if (password) {
+ for (i = 0; password[i]; i++) password[i] = 0;
+ talloc_zfree(password);
+ }
+ return;
}
break;
case SSS_PAM_CHAUTHTOK_PRELIM: