summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/db/sysdb.h3
-rw-r--r--src/db/sysdb_ops.c12
-rw-r--r--src/providers/krb5/krb5_auth.c21
-rw-r--r--src/responder/pam/pamsrv_cmd.c39
-rw-r--r--src/tests/sysdb-tests.c6
5 files changed, 45 insertions, 36 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index b8aafdfa..378ce488 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -740,8 +740,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
time_t *delayed_until);
int sysdb_cache_auth(struct sysdb_ctx *sysdb,
const char *name,
- const uint8_t *authtok,
- size_t authtok_size,
+ const char *password,
struct confdb_ctx *cdb,
bool just_check,
time_t *_expire_date,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index e1201f44..b9cecad5 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2757,8 +2757,7 @@ done:
int sysdb_cache_auth(struct sysdb_ctx *sysdb,
const char *name,
- const uint8_t *authtok,
- size_t authtok_size,
+ const char *password,
struct confdb_ctx *cdb,
bool just_check,
time_t *_expire_date,
@@ -2773,7 +2772,6 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
struct ldb_message *ldb_msg;
const char *userhash;
char *comphash;
- char *password = NULL;
uint64_t lastLogin = 0;
int cred_expiration;
uint32_t failed_login_attempts = 0;
@@ -2859,13 +2857,6 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
/* TODO: verify user account (disabled, expired ...) */
- password = talloc_strndup(tmp_ctx, (const char *)authtok, authtok_size);
- if (password == NULL) {
- DEBUG(1, ("talloc_strndup failed.\n"));
- ret = ENOMEM;
- goto done;
- }
-
userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL);
if (userhash == NULL || *userhash == '\0') {
DEBUG(4, ("Cached credentials not available.\n"));
@@ -2949,7 +2940,6 @@ done:
if (_delayed_until != NULL) {
*_delayed_until = delayed_until;
}
- if (password) for (i = 0; password[i]; i++) password[i] = 0;
if (ret) {
ldb_transaction_cancel(sysdb->ldb);
} else {
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 94bbe485..bd014a49 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -278,16 +278,23 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
struct pam_data *pd, uid_t uid,
int *pam_status, int *dp_err)
{
+ char *password = NULL;
errno_t ret;
- ret = sysdb_cache_auth(sysdb, pd->user, pd->authtok,
- pd->authtok_size, cdb, true, NULL,
- NULL);
+ password = talloc_strndup(state, pd->authtok, pd->authtok_size);
+ if (!password) {
+ DEBUG(0, ("Out of memory copying password\n"));
+ *pam_status = PAM_SYSTEM_ERR;
+ *dp_err = DP_ERR_OK;
+ return;
+ }
+
+ ret = sysdb_cache_auth(sysdb, pd->user, password, cdb, true, NULL, NULL);
if (ret != EOK) {
DEBUG(1, ("Offline authentication failed\n"));
*pam_status = cached_login_pam_status(ret);
*dp_err = DP_ERR_OK;
- return;
+ goto done;
}
ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid);
@@ -297,6 +304,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
}
*pam_status = PAM_AUTHINFO_UNAVAIL;
*dp_err = DP_ERR_OFFLINE;
+
+done:
+ if (password) {
+ for (i = 0; password[i]; i++) password[i] = 0;
+ talloc_zfree(password);
+ }
}
static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 42696422..ed7438f8 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -733,7 +733,6 @@ static void pam_reply(struct pam_auth_req *preq)
struct timeval tv;
struct tevent_timer *te;
struct pam_data *pd;
- struct sysdb_ctx *sysdb;
struct pam_ctx *pctx;
uint32_t user_info_type;
time_t exp_date = -1;
@@ -753,24 +752,34 @@ static void pam_reply(struct pam_auth_req *preq)
if ((preq->domain != NULL) &&
(preq->domain->cache_credentials == true) &&
(pd->offline_auth == false)) {
+ const char *password = NULL;
- /* do auth with offline credentials */
- pd->offline_auth = true;
+ /* do auth with offline credentials */
+ pd->offline_auth = true;
- sysdb = preq->domain->sysdb;
- if (sysdb == NULL) {
- DEBUG(0, ("Fatal: Sysdb CTX not found for "
- "domain [%s]!\n", preq->domain->name));
- goto done;
- }
+ if (preq->domain->sysdb == NULL) {
+ DEBUG(0, ("Fatal: Sysdb CTX not found for domain"
+ " [%s]!\n", preq->domain->name));
+ goto done;
+ }
- ret = sysdb_cache_auth(sysdb, pd->user,
- pd->authtok, pd->authtok_size,
- pctx->rctx->cdb, false,
- &exp_date, &delay_until);
+ password = talloc_strndup(preq, pd->authtok, pd->authtok_size);
+ if (!password) {
+ DEBUG(0, ("Fatal: Out of memory copying password\n"));
+ goto done;
+ }
- pam_handle_cached_login(preq, ret, exp_date, delay_until);
- return;
+ ret = sysdb_cache_auth(preq->domain->sysdb,
+ pd->user, password,
+ pctx->rctx->cdb, false,
+ &exp_date, &delay_until);
+
+ pam_handle_cached_login(preq, ret, exp_date, delay_until);
+ if (password) {
+ for (i = 0; password[i]; i++) password[i] = 0;
+ talloc_zfree(password);
+ }
+ return;
}
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index a79d8d6c..a5526280 100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1576,8 +1576,7 @@ static void cached_authentication_without_expiration(const char *username,
return;
}
- ret = sysdb_cache_auth(test_ctx->sysdb, data->username,
- (const uint8_t *)password, strlen(password),
+ ret = sysdb_cache_auth(test_ctx->sysdb, data->username, password,
test_ctx->confdb, false, &expire_date, &delayed_until);
fail_unless(ret == expected_result, "sysdb_cache_auth request does not "
@@ -1636,8 +1635,7 @@ static void cached_authentication_with_expiration(const char *username,
data->attrs, SYSDB_MOD_REP);
fail_unless(ret == EOK, "Could not modify user %s", data->username);
- ret = sysdb_cache_auth(test_ctx->sysdb, data->username,
- (const uint8_t *) password, strlen(password),
+ ret = sysdb_cache_auth(test_ctx->sysdb, data->username, password,
test_ctx->confdb, false, &expire_date, &delayed_until);
fail_unless(ret == expected_result,