[SSSD] [sssd PR#862][opened] pam: fix loop in Smartcard authentication

Thu, 08 Aug 2019 08:50:17 -0700 

   URL: https://github.com/SSSD/sssd/pull/862
Author: sumit-bose
 Title: #862: pam: fix loop in Smartcard authentication
Action: opened

PR body:
"""
If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.

Related to https://pagure.io/SSSD/sssd/issue/4051
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/862/head:pr862
git checkout pr862

From c966b41c6d7f8c63d94d0bbab658d01a8c604a13 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Fri, 2 Aug 2019 13:43:49 +0200
Subject: [PATCH] pam: fix loop in Smartcard authentication

If 'try_cert_auth' or 'require_cert_auth' options are used and a wrong
PIN is entered the PAM responder might end in an endless loop. This
patch uses a flag to avoid the loop and makes sure that during
authentication the error code causing the loop is not returned.

Related to https://pagure.io/SSSD/sssd/issue/4051
---
 src/responder/pam/pamsrv_cmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 89bdb78a1f..72412204b4 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -814,6 +814,7 @@ static void pam_reply(struct pam_auth_req *preq)
           pd->pam_status, pam_strerror(NULL, pd->pam_status));
 
     if (pd->cmd == SSS_PAM_AUTHENTICATE
+            && !preq->cert_auth_local
             && (pd->pam_status == PAM_AUTHINFO_UNAVAIL
                 || pd->pam_status == PAM_NO_MODULE_DATA
                 || pd->pam_status == PAM_BAD_ITEM)
@@ -1475,7 +1476,8 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
                   "No certificate found and no logon name given, " \
                   "authentication not possible.\n");
             ret = ENOENT;
-        } else if (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) {
+        } else if (pd->cmd == SSS_PAM_PREAUTH
+                        && (pd->cli_flags & PAM_CLI_FLAGS_TRY_CERT_AUTH)) {
             DEBUG(SSSDBG_TRACE_ALL,
                   "try_cert_auth flag set but no certificate available, "
                   "request finished.\n");

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to