[SSSD] [sssd PR#620][opened] Add pam_cert_pam_services option

Fri, 20 Jul 2018 02:52:57 -0700 

   URL: https://github.com/SSSD/sssd/pull/620
Author: abbra
 Title: #620: Add pam_cert_pam_services option
Action: opened

PR body:
"""
Allow customizing which PAM services are allowed to perform smartcard
authentication.

Fixes: https://pagure.io/SSSD/sssd/issue/3775

"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/620/head:pr620
git checkout pr620

From fcd0db246fb1279d6ffb470d3749d50f1e345aaf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 20 Jul 2018 12:06:48 +0300
Subject: [PATCH] Add pam_cert_pam_services option

Allow customizing which PAM services are allowed to perform smartcard
authentication.

Fixes: https://pagure.io/SSSD/sssd/issue/3775

Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
 src/confdb/confdb.h                  |  1 +
 src/config/SSSDConfig/__init__.py.in |  1 +
 src/config/cfg_rules.ini             |  1 +
 src/config/etc/sssd.api.conf         |  1 +
 src/man/sssd.conf.5.xml              | 14 ++++++++++++++
 src/responder/pam/pamsrv_p11.c       | 33 +++++++++++++++++++++++++++------
 6 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 8af625f01..7e1116d97 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -131,6 +131,7 @@
 #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
 #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
 #define CONFDB_PAM_APP_SERVICES "pam_app_services"
+#define CONFDB_PAM_CERT_PAM_SERVICES "pam_cert_pam_services"
 
 /* SUDO */
 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 32b74e4c7..ee08765e0 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -103,6 +103,7 @@ option_strings = {
     'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'),
     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
     'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
+    'pam_cert_pam_services' : _('Which PAM services are permitted to perform smart card authentication'),
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 551322780..1673abe8d 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -126,6 +126,7 @@ option = pam_cert_auth
 option = pam_cert_db_path
 option = p11_child_timeout
 option = pam_app_services
+option = pam_cert_pam_services
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 2be2e3e68..67b55674e 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -75,6 +75,7 @@ pam_cert_auth = bool, None, false
 pam_cert_db_path = str, None, false
 p11_child_timeout = int, None, false
 pam_app_services = str, None, false
+pam_cert_pam_services = list, str, false
 
 [sudo]
 # sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index ed3c10012..5873a4ce2 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1389,6 +1389,20 @@ pam_account_locked_message = Account locked, please contact help desk.
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>pam_cert_pam_services (list)</term>
+                    <listitem>
+                        <para>
+                            Which PAM services are permitted to perform
+                            certificate based Smartcard authentication.
+                        </para>
+                        <para>
+                            Default: login, su, su-l, gdm-smartcard,
+                                     gdm-password, kdm, sudo, sudo-i,
+                                     gnome-screensaver
+                        </para>
+                    </listitem>
+                </varlistentry>
 
             </variablelist>
         </refsect2>
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
index 0b6a162a4..83f99132a 100644
--- a/src/responder/pam/pamsrv_p11.c
+++ b/src/responder/pam/pamsrv_p11.c
@@ -230,6 +230,10 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
     const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
                                   "gdm-password", "kdm", "sudo", "sudo-i",
                                   "gnome-screensaver", NULL };
+    char **pam_cert_pam_services = NULL;
+    int ret;
+    bool result;
+
     if (!pctx->cert_auth) {
         return false;
     }
@@ -244,23 +248,40 @@ bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
         return false;
     }
 
-    /* TODO: make services configurable */
     if (pd->service == NULL || *pd->service == '\0') {
         return false;
     }
-    for (c = 0; sc_services[c] != NULL; c++) {
-        if (strcmp(pd->service, sc_services[c]) == 0) {
+
+    ret = confdb_get_string_as_list(pctx->rctx->cdb, pctx,
+                                    CONFDB_PAM_CONF_ENTRY,
+                                    CONFDB_PAM_CERT_PAM_SERVICES,
+                                    &pam_cert_pam_services);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CONF_SETTINGS,
+              "Failed to read list of PAM services "
+              "allowed to perform smartcard authentication, using default.\n");
+        pam_cert_pam_services = (char**) sc_services;
+    }
+
+    for (c = 0; pam_cert_pam_services[c] != NULL; c++) {
+        if (strcmp(pd->service, pam_cert_pam_services[c]) == 0) {
             break;
         }
     }
-    if  (sc_services[c] == NULL) {
+
+    result = pam_cert_pam_services[c] != NULL;
+
+    if (pam_cert_pam_services != sc_services) {
+        talloc_free(pam_cert_pam_services);
+    }
+
+    if (result == false) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "Smartcard authentication for service [%s] not supported.\n",
               pd->service);
-        return false;
     }
 
-    return true;
+    return result;
 }
 
 static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx,

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/BQNL6YDQ5XBB4BJV4XTVVQ5QCZ6UETAR/

Reply via email to