[SSSD] [sssd PR#870][opened] pam: do not accept empty PIN

Tue, 20 Aug 2019 03:31:40 -0700 

   URL: https://github.com/SSSD/sssd/pull/870
Author: sumit-bose
 Title: #870: pam: do not accept empty PIN
Action: opened

PR body:
"""
The current check for an empty PIN was incomplete and if no PIN was
given pam_sss should not send a request to SSSD's pam responder. This
would match the behavior if a user name hint should be requested as
well.

Related to: https://pagure.io/SSSD/sssd/issue/4068
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/870/head:pr870
git checkout pr870

From 096ec67face02ccaf1cf5d648bfbb1360512a33a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Tue, 20 Aug 2019 12:11:30 +0200
Subject: [PATCH] pam: do not accept empty PIN

The current check for an empty PIN was incomplete and if no PIN was
given pam_sss should not send a request to SSSD's pam responder. This
would match the behavior if a user name hint should be requested as
well.

Related to: https://pagure.io/SSSD/sssd/issue/4068
---
 src/sss_client/pam_sss.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index cfd3e3731d..435f72edc7 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1905,10 +1905,10 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
         }
     }
 
-    if (answer == NULL) {
-        pi->pam_authtok = NULL;
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
-        pi->pam_authtok_size=0;
+    if (answer == NULL || *answer == '\0') {
+        D(("Missing PIN."));
+        ret = PAM_CRED_INSUFFICIENT;
+        goto done;
     } else {
 
         ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0,

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to