URL: https://github.com/SSSD/sssd/pull/620 Author: abbra Title: #620: Add pam_cert_pam_services option Action: opened
PR body: """ Allow customizing which PAM services are allowed to perform smartcard authentication. Fixes: https://pagure.io/SSSD/sssd/issue/3775 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/620/head:pr620 git checkout pr620
From fcd0db246fb1279d6ffb470d3749d50f1e345aaf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Fri, 20 Jul 2018 12:06:48 +0300 Subject: [PATCH] Add pam_cert_pam_services option Allow customizing which PAM services are allowed to perform smartcard authentication. Fixes: https://pagure.io/SSSD/sssd/issue/3775 Signed-off-by: Alexander Bokovoy <aboko...@redhat.com> --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 14 ++++++++++++++ src/responder/pam/pamsrv_p11.c | 33 +++++++++++++++++++++++++++------ 6 files changed, 45 insertions(+), 6 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 8af625f01..7e1116d97 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -131,6 +131,7 @@ #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path" #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout" #define CONFDB_PAM_APP_SERVICES "pam_app_services" +#define CONFDB_PAM_CERT_PAM_SERVICES "pam_cert_pam_services" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 32b74e4c7..ee08765e0 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -103,6 +103,7 @@ option_strings = { 'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'), 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), + 'pam_cert_pam_services' : _('Which PAM services are permitted to perform smart card authentication'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 551322780..1673abe8d 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -126,6 +126,7 @@ option = pam_cert_auth option = pam_cert_db_path option = p11_child_timeout option = pam_app_services +option = pam_cert_pam_services [rule/allowed_sudo_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 2be2e3e68..67b55674e 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false pam_cert_db_path = str, None, false p11_child_timeout = int, None, false pam_app_services = str, None, false +pam_cert_pam_services = list, str, false [sudo] # sudo service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index ed3c10012..5873a4ce2 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1389,6 +1389,20 @@ pam_account_locked_message = Account locked, please contact help desk. </para> </listitem> </varlistentry> + <varlistentry> + <term>pam_cert_pam_services (list)</term> + <listitem> + <para> + Which PAM services are permitted to perform + certificate based Smartcard authentication. + </para> + <para> + Default: login, su, su-l, gdm-smartcard, + gdm-password, kdm, sudo, sudo-i, + gnome-screensaver + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 0b6a162a4..83f99132a 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -230,6 +230,10 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard", "gdm-password", "kdm", "sudo", "sudo-i", "gnome-screensaver", NULL }; + char **pam_cert_pam_services = NULL; + int ret; + bool result; + if (!pctx->cert_auth) { return false; } @@ -244,23 +248,40 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) return false; } - /* TODO: make services configurable */ if (pd->service == NULL || *pd->service == '\0') { return false; } - for (c = 0; sc_services[c] != NULL; c++) { - if (strcmp(pd->service, sc_services[c]) == 0) { + + ret = confdb_get_string_as_list(pctx->rctx->cdb, pctx, + CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CERT_PAM_SERVICES, + &pam_cert_pam_services); + if (ret != EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Failed to read list of PAM services " + "allowed to perform smartcard authentication, using default.\n"); + pam_cert_pam_services = (char**) sc_services; + } + + for (c = 0; pam_cert_pam_services[c] != NULL; c++) { + if (strcmp(pd->service, pam_cert_pam_services[c]) == 0) { break; } } - if (sc_services[c] == NULL) { + + result = pam_cert_pam_services[c] != NULL; + + if (pam_cert_pam_services != sc_services) { + talloc_free(pam_cert_pam_services); + } + + if (result == false) { DEBUG(SSSDBG_CRIT_FAILURE, "Smartcard authentication for service [%s] not supported.\n", pd->service); - return false; } - return true; + return result; } static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/BQNL6YDQ5XBB4BJV4XTVVQ5QCZ6UETAR/