[SSSD] [sssd PR#5294][opened] krb5: only try pkinit with Smartcard credentials

Tue, 25 Aug 2020 02:47:34 -0700 

   URL: https://github.com/SSSD/sssd/pull/5294
Author: sumit-bose
 Title: #5294: krb5: only try pkinit with Smartcard credentials
Action: opened

PR body:
"""
Currently pkinit is tried if a Smartcard is present. But depending on
the used PAM service and other configurations it might happen that the
user didn't provide the Smartcard PIN but e.g. the password. Hence,
before trying pkinit we should check if the right credentials are
available.

Resolves:
https://github.com/SSSD/sssd/issues/5290
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5294/head:pr5294
git checkout pr5294

From 9322b5dbd9e25db43124a7a8e3b649f41b6fc31f Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Mon, 24 Aug 2020 11:29:23 +0200
Subject: [PATCH] krb5: only try pkinit with Smartcard credentials

Currently pkinit is tried if a Smartcard is present. But depending on
the used PAM service and other configurations it might happen that the
user didn't provide the Smartcard PIN but e.g. the password. Hence,
before trying pkinit we should check if the right credentials are
available.

Resolves:
https://github.com/SSSD/sssd/issues/5290
---
 src/providers/krb5/krb5_child.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index a998c95b76..cf9080f2c4 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -804,7 +804,11 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
                     return kerr;
                 }
             } else if (strcmp(question_list[c],
-                       KRB5_RESPONDER_QUESTION_PKINIT) == 0) {
+                              KRB5_RESPONDER_QUESTION_PKINIT) == 0
+                        && (sss_authtok_get_type(kr->pd->authtok)
+                                               == SSS_AUTHTOK_TYPE_SC_PIN
+                            || sss_authtok_get_type(kr->pd->authtok)
+                                               == SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
                 return answer_pkinit(ctx, kr, rctx);
             }
         }

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to