Make it clear to the API users that we can not take arbitrary auth tokens.
We can only take a password for now so simplify and clarify the interface.
Signed-off-by: Simo Sorce <simo(a)redhat.com>
---
src/db/sysdb.h | 3 +--
src/db/sysdb_ops.c | 12 +-----------
src/providers/krb5/krb5_auth.c | 21 +++++++++++++++++----
src/responder/pam/pamsrv_cmd.c | 39 ++++++++++++++++++++++++---------------
src/tests/sysdb-tests.c | 6 ++----
5 files changed, 45 insertions(+), 36 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 0ce6beaa361bcb5930e64c31fc3763a230881e9a..9fda885211024e666bf592e05e4c8701ff409998
100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -749,8 +749,7 @@ errno_t check_failed_login_attempts(struct confdb_ctx *cdb,
time_t *delayed_until);
int sysdb_cache_auth(struct sysdb_ctx *sysdb,
const char *name,
- const uint8_t *authtok,
- size_t authtok_size,
+ const char *password,
struct confdb_ctx *cdb,
bool just_check,
time_t *_expire_date,
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 52f0cef54b9819b1f5d754dcbd56abd1d7cb0e96..9f476e98ef0c09f39659d52b927224a20e42db07
100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2654,8 +2654,7 @@ done:
int sysdb_cache_auth(struct sysdb_ctx *sysdb,
const char *name,
- const uint8_t *authtok,
- size_t authtok_size,
+ const char *password,
struct confdb_ctx *cdb,
bool just_check,
time_t *_expire_date,
@@ -2670,7 +2669,6 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
struct ldb_message *ldb_msg;
const char *userhash;
char *comphash;
- char *password = NULL;
uint64_t lastLogin = 0;
int cred_expiration;
uint32_t failed_login_attempts = 0;
@@ -2756,13 +2754,6 @@ int sysdb_cache_auth(struct sysdb_ctx *sysdb,
/* TODO: verify user account (disabled, expired ...) */
- password = talloc_strndup(tmp_ctx, (const char *)authtok, authtok_size);
- if (password == NULL) {
- DEBUG(1, ("talloc_strndup failed.\n"));
- ret = ENOMEM;
- goto done;
- }
-
userhash = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_CACHEDPWD, NULL);
if (userhash == NULL || *userhash == '\0') {
DEBUG(4, ("Cached credentials not available.\n"));
@@ -2846,7 +2837,6 @@ done:
if (_delayed_until != NULL) {
*_delayed_until = delayed_until;
}
- if (password) for (i = 0; password[i]; i++) password[i] = 0;
if (ret) {
ldb_transaction_cancel(sysdb->ldb);
} else {
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 70dd988a7d28d19fe09946eedd90d713b35a4621..715f8601a77a8a3291f7b6c35b6a59b8a9b85c9b
100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -277,16 +277,23 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
struct pam_data *pd, uid_t uid,
int *pam_status, int *dp_err)
{
+ char *password = NULL;
errno_t ret;
- ret = sysdb_cache_auth(sysdb, pd->user, pd->authtok,
- pd->authtok_size, cdb, true, NULL,
- NULL);
+ password = talloc_strndup(state, pd->authtok, pd->authtok_size);
+ if (!password) {
+ DEBUG(0, ("Out of memory copying password\n"));
+ *pam_status = PAM_SYSTEM_ERR;
+ *dp_err = DP_ERR_OK;
+ return;
+ }
+
+ ret = sysdb_cache_auth(sysdb, pd->user, password, cdb, true, NULL, NULL);
if (ret != EOK) {
DEBUG(1, ("Offline authentication failed\n"));
*pam_status = PAM_SYSTEM_ERR;
*dp_err = DP_ERR_OK;
- return;
+ goto done;
}
ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid);
@@ -296,6 +303,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
}
*pam_status = PAM_AUTHINFO_UNAVAIL;
*dp_err = DP_ERR_OFFLINE;
+
+done:
+ if (password) {
+ for (i = 0; password[i]; i++) password[i] = 0;
+ talloc_zfree(password);
+ }
}
static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 2b20544d1baf78ade232f93a2c91378ec6a7645c..8ab90e30e3f553c95a43db3ce69799b8b6d24d76
100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -731,7 +731,6 @@ static void pam_reply(struct pam_auth_req *preq)
struct timeval tv;
struct tevent_timer *te;
struct pam_data *pd;
- struct sysdb_ctx *sysdb;
struct pam_ctx *pctx;
uint32_t user_info_type;
time_t exp_date = -1;
@@ -751,24 +750,34 @@ static void pam_reply(struct pam_auth_req *preq)
if ((preq->domain != NULL) &&
(preq->domain->cache_credentials == true) &&
(pd->offline_auth == false)) {
+ const char *password = NULL;
- /* do auth with offline credentials */
- pd->offline_auth = true;
+ /* do auth with offline credentials */
+ pd->offline_auth = true;
- sysdb = preq->domain->sysdb;
- if (sysdb == NULL) {
- DEBUG(0, ("Fatal: Sysdb CTX not found for "
- "domain [%s]!\n",
preq->domain->name));
- goto done;
- }
+ if (preq->domain->sysdb == NULL) {
+ DEBUG(0, ("Fatal: Sysdb CTX not found for domain"
+ " [%s]!\n", preq->domain->name));
+ goto done;
+ }
- ret = sysdb_cache_auth(sysdb, pd->user,
- pd->authtok, pd->authtok_size,
- pctx->rctx->cdb, false,
- &exp_date, &delay_until);
+ password = talloc_strndup(preq, pd->authtok, pd->authtok_size);
+ if (!password) {
+ DEBUG(0, ("Fatal: Out of memory copying password\n"));
+ goto done;
+ }
- pam_cache_auth_done(preq, ret, exp_date, delay_until);
- return;
+ ret = sysdb_cache_auth(preq->domain->sysdb,
+ pd->user, password,
+ pctx->rctx->cdb, false,
+ &exp_date, &delay_until);
+
+ pam_cache_auth_done(preq, ret, exp_date, delay_until);
+ if (password) {
+ for (i = 0; password[i]; i++) password[i] = 0;
+ talloc_zfree(password);
+ }
+ return;
}
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c
index d9afe7b8830c05dec8bae534f154270bedda84e8..7c111c74f7b06e30475619e9e0f455a7b86f4f2f
100644
--- a/src/tests/sysdb-tests.c
+++ b/src/tests/sysdb-tests.c
@@ -1492,8 +1492,7 @@ static void cached_authentication_without_expiration(const char
*username,
return;
}
- ret = sysdb_cache_auth(test_ctx->sysdb, data->username,
- (const uint8_t *)password, strlen(password),
+ ret = sysdb_cache_auth(test_ctx->sysdb, data->username, password,
test_ctx->confdb, false, &expire_date,
&delayed_until);
fail_unless(ret == expected_result, "sysdb_cache_auth request does not "
@@ -1552,8 +1551,7 @@ static void cached_authentication_with_expiration(const char
*username,
data->attrs, SYSDB_MOD_REP);
fail_unless(ret == EOK, "Could not modify user %s", data->username);
- ret = sysdb_cache_auth(test_ctx->sysdb, data->username,
- (const uint8_t *) password, strlen(password),
+ ret = sysdb_cache_auth(test_ctx->sysdb, data->username, password,
test_ctx->confdb, false, &expire_date,
&delayed_until);
fail_unless(ret == expected_result,
--
1.7.11.4