URL: https://github.com/SSSD/sssd/pull/692 Author: sumit-bose Title: #692: pam_sss: return PAM_AUTHINFO_UNAVAIL if sc options are set Action: opened
PR body: """ If pam_sss is called for PAM_USER root it currently returns PAM_USER_UNKNOWN since SSSD does not handle root. To meet the documented behavior if one to the sc options is used pam_sss should return PAM_AUTHINFO_UNAVAIL in this case as well. Related to https://pagure.io/SSSD/sssd/issue/3876 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/692/head:pr692 git checkout pr692
From 71ed6687f76bed0734f75ba412623147a33c6cda Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 7 Nov 2018 11:49:11 +0100 Subject: [PATCH] pam_sss: return PAM_AUTHINFO_UNAVAIL if sc options are set If pam_sss is called for PAM_USER root it currently returns PAM_USER_UNKNOWN since SSSD does not handle root. To meet the documented behavior if one to the sc options is used pam_sss should return PAM_AUTHINFO_UNAVAIL in this case as well. Related to https://pagure.io/SSSD/sssd/issue/3876 --- src/sss_client/pam_sss.c | 4 ++++ src/tests/intg/test_pam_responder.py | 28 ++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index b4c1036ad..69dc50dfd 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2378,6 +2378,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, ret = get_pam_items(pamh, flags, &pi); if (ret != PAM_SUCCESS) { D(("get items returned error: %s", pam_strerror(pamh,ret))); + if ((flags & PAM_CLI_FLAGS_TRY_CERT_AUTH) + || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) ) { + return PAM_AUTHINFO_UNAVAIL; + } if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { ret = PAM_IGNORE; } diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py index 06f69a3d8..d1ad9affd 100644 --- a/src/tests/intg/test_pam_responder.py +++ b/src/tests/intg/test_pam_responder.py @@ -388,3 +388,31 @@ def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl): raise Exception("sssctl failed") assert err.find("pam_authenticate for user [user1]: Success") != -1 + + +def test_try_sc_auth_root(simple_pam_cert_auth, env_for_sssctl): + """ + Make sure pam_sss returns PAM_AUTHINFO_UNAVAIL even for root if + try_cert_auth is set. + """ + sssctl = subprocess.Popen(["sssctl", "user-checks", "root", + "--action=auth", + "--service=pam_sss_try_sc"], + universal_newlines=True, + env=env_for_sssctl, stdin=subprocess.PIPE, + stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + try: + out, err = sssctl.communicate(input="123456") + except: + sssctl.kill() + out, err = sssctl.communicate() + + sssctl.stdin.close() + sssctl.stdout.close() + + if sssctl.wait() != 0: + raise Exception("sssctl failed") + + assert err.find("pam_authenticate for user [root]: Authentication " + + "service cannot retrieve authentication info") != -1
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org