URL: https://github.com/freeipa/freeipa/pull/851 Author: abbra Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth Action: opened
PR body: """ We automatically add 'otp' and 'radius' authentication indicators when pre-authentication with OTP or RADIUS did succeed. Do the same for certauth-based pre-authentication (PKINIT). A default PKINIT configuration does not add any authentication indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf. Unfortunately, modifying kdc.conf automatically is a bit more complicated than modifying krb5.conf. Given that we have 'otp' and 'radius' authentication indicators also defined in the code not in the kdc.conf, this change is following an established trend. SSSD certauth interface does not provide additional information about which rule(s) succeeded in matching the incoming certificate. Thus, there is not much information we can automatically provide in the indicator. It would be good to generate indicators that include some information from the certmapping rules in future but for now a single 'pkinit' indicator is enough. Fixes https://pagure.io/freeipa/issue/6736 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/851/head:pr851 git checkout pr851
From e024dee52a58a3fccc37e1a96a83f617d85e4a5d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Sun, 4 Jun 2017 22:49:13 +0300 Subject: [PATCH] ipa-kdb: add pkinit authentication indicator in case of a successful certauth We automatically add 'otp' and 'radius' authentication indicators when pre-authentication with OTP or RADIUS did succeed. Do the same for certauth-based pre-authentication (PKINIT). A default PKINIT configuration does not add any authentication indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf. Unfortunately, modifying kdc.conf automatically is a bit more complicated than modifying krb5.conf. Given that we have 'otp' and 'radius' authentication indicators also defined in the code not in the kdc.conf, this change is following an established trend. SSSD certauth interface does not provide additional information about which rule(s) succeeded in matching the incoming certificate. Thus, there is not much information we can automatically provide in the indicator. It would be good to generate indicators that include some information from the certmapping rules in future but for now a single 'pkinit' indicator is enough. Fixes https://pagure.io/freeipa/issue/6736 --- daemons/ipa-kdb/ipa_kdb_certauth.c | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c index dbe7a04437..da9a9cb87f 100644 --- a/daemons/ipa-kdb/ipa_kdb_certauth.c +++ b/daemons/ipa-kdb/ipa_kdb_certauth.c @@ -267,6 +267,7 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, int ret; size_t c; char *principal = NULL; + char **auth_inds = NULL; LDAPMessage *res = NULL; krb5_error_code kerr; LDAPMessage *lentry; @@ -350,6 +351,20 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context, goto done; } + /* Associate authentication indicator "pkinit" with the successful match. + * SSSD interface doesn't give us a clue which rule did match + * so there is nothing more to add here. */ + auth_inds = calloc(2, sizeof(char *)); + if (auth_inds != NULL) { + ret = asprintf(&auth_inds[0], "pkinit"); + if (ret != -1) { + auth_inds[1] = NULL; + *authinds_out = auth_inds; + } else { + free(auth_inds); + } + } + /* TODO: add more tests ? */ ret = 0; @@ -384,6 +399,24 @@ static void ipa_certauth_fini(krb5_context context, return; } +static void ipa_certauth_free_indicator(krb5_context context, + krb5_certauth_moddata moddata, + char **authinds) +{ + size_t i = 0; + + if ((authinds == NULL) || (moddata == NULL)) { + return; + } + + for(i=0; authinds[i]; i++) { + free(authinds[i]); + authinds[i] = NULL; + } + + free(authinds); +} + krb5_error_code certauth_ipakdb_initvt(krb5_context context, int maj_ver, int min_ver, @@ -401,7 +434,6 @@ krb5_error_code certauth_ipakdb_initvt(krb5_context context, vt->authorize = ipa_certauth_authorize; vt->init = ipa_certauth_init; vt->fini = ipa_certauth_fini; - /* currently we do not return authentication indicators */ - vt->free_ind = NULL; + vt->free_ind = ipa_certauth_free_indicator; return 0; }
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org