>From f614eb853b2aac83c3994c55976c6135e3fc89d6 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 21 Dec 2009 14:51:32 +0100 Subject: [PATCH] Return an error for an unknown PAM request --- server/providers/data_provider_be.c | 9 +++++++-- server/providers/krb5/krb5_auth.c | 24 ++++++++++++++++++------ server/providers/ldap/ldap_auth.c | 10 ++++++++-- server/providers/proxy.c | 10 ++++++++-- 4 files changed, 41 insertions(+), 12 deletions(-) diff --git a/server/providers/data_provider_be.c b/server/providers/data_provider_be.c index b1af7bf..4c0d700 100644 --- a/server/providers/data_provider_be.c +++ b/server/providers/data_provider_be.c @@ -584,10 +584,15 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) case SSS_PAM_CHAUTHTOK_PRELIM: target = BET_CHPASS; break; + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + pd->pam_status = PAM_SUCCESS; + goto done; + break; default: DEBUG(7, ("Unsupported PAM command [%d].\n", pd->cmd)); - pd->pam_status = PAM_SUCCESS; - ret = EOK; + pd->pam_status = PAM_MODULE_UNKNOWN; goto done; } diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index a124371..a9f577d 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -713,12 +713,24 @@ void krb5_pam_handler(struct be_req *be_req) pd = talloc_get_type(be_req->req_data, struct pam_data); - if (pd->cmd != SSS_PAM_AUTHENTICATE && pd->cmd != SSS_PAM_CHAUTHTOK && - pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { - DEBUG(4, ("krb5 does not handles pam task %d.\n", pd->cmd)); - pam_status = PAM_SUCCESS; - dp_err = DP_ERR_OK; - goto done; + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_PAM_CHAUTHTOK: + case SSS_PAM_CHAUTHTOK_PRELIM: + break; + case SSS_PAM_ACCT_MGMT: + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + pam_status = PAM_SUCCESS; + dp_err = DP_ERR_OK; + goto done; + break; + default: + DEBUG(4, ("krb5 does not handles pam task %d.\n", pd->cmd)); + pam_status = PAM_MODULE_UNKNOWN; + dp_err = DP_ERR_OK; + goto done; } if (be_is_offline(be_req->be_ctx) && diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index 28b3240..fbb4e53 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -880,13 +880,19 @@ void sdap_pam_auth_handler(struct be_req *breq) tevent_req_set_callback(subreq, sdap_pam_auth_done, state); return; -/* FIXME: handle other cases */ case SSS_PAM_CHAUTHTOK: break; - default: + case SSS_PAM_ACCT_MGMT: + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: pd->pam_status = PAM_SUCCESS; dp_err = DP_ERR_OK; + break; + default: + pd->pam_status = PAM_MODULE_UNKNOWN; + dp_err = DP_ERR_OK; } done: diff --git a/server/providers/proxy.c b/server/providers/proxy.c index 080479c..12bb25e 100644 --- a/server/providers/proxy.c +++ b/server/providers/proxy.c @@ -145,10 +145,16 @@ static void proxy_pam_handler(struct be_req *req) { ctx = talloc_get_type(req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data, struct proxy_auth_ctx); break; + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + pd->pam_status = PAM_SUCCESS; + proxy_reply(req, DP_ERR_OK, EOK, NULL); + return; default: DEBUG(1, ("Unsupported PAM task.\n")); - pd->pam_status = PAM_SUCCESS; - proxy_reply(req, DP_ERR_OK, PAM_SUCCESS, NULL); + pd->pam_status = PAM_MODULE_UNKNOWN; + proxy_reply(req, DP_ERR_OK, EINVAL, "Unsupported PAM task"); return; } -- 1.6.5.2