pam: add pam_gssapi_services option

SSSD · Oct 27, 2020 · a213fb8 · a213fb8
1 parent 5572bcc
commit a213fb8
Show file tree

Hide file tree

Showing 9 changed files with 75 additions and 2 deletions.
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
         }
     }
 
+    tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
+                                      NULL);
+    if (tmp != NULL) {
+        ret = split_on_separator(domain, tmp, ',', true, true,
+                                 &domain->gssapi_services, NULL);
+        if (ret != 0) {
+            DEBUG(SSSDBG_FATAL_FAILURE,
+                  "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES);
+            goto done;
+        }
+    }
+
     domain->has_views = false;
     domain->view_name = NULL;
 

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -144,6 +144,7 @@
 #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
 #define CONFDB_PAM_P11_URI "p11_uri"
 #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
 
 /* SUDO */
 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
@@ -431,6 +432,9 @@ struct sss_domain_info {
 
     /* Keytab used by this domain. */
     const char *krb5_keytab;
+
+    /* List of PAM services that are allowed to authenticate with GSSAPI. */
+    char **gssapi_services;
 };
 
 /**

diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
@@ -104,6 +104,7 @@ def __init__(self):
         'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
         'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
         'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
+        'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
 
         # [sudo]
         'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),

diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
@@ -653,7 +653,8 @@ def testListOptions(self):
             'full_name_format',
             're_expression',
             'cached_auth_timeout',
-            'auto_private_groups']
+            'auto_private_groups',
+            'pam_gssapi_services']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")
@@ -1030,7 +1031,8 @@ def testRemoveProvider(self):
             'full_name_format',
             're_expression',
             'cached_auth_timeout',
-            'auto_private_groups']
+            'auto_private_groups',
+            'pam_gssapi_services']
 
         self.assertTrue(type(options) == dict,
                         "Options should be a dictionary")

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
@@ -139,6 +139,7 @@ option = pam_p11_allowed_services
 option = p11_wait_for_card_timeout
 option = p11_uri
 option = pam_initgroups_scheme
+option = pam_gssapi_services
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options
@@ -437,6 +438,7 @@ option = wildcard_limit
 option = full_name_format
 option = re_expression
 option = auto_private_groups
+option = pam_gssapi_services
 
 #Entry cache timeouts
 option = entry_cache_user_timeout

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false
 p11_wait_for_card_timeout = int, None, false
 p11_uri = str, None, false
 pam_initgroups_scheme = str, None, false
+pam_gssapi_services = str, None, false
 
 [sudo]
 # sudo service
@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false
 full_name_format = str, None, false
 re_expression = str, None, false
 auto_private_groups = str, None, false
+pam_gssapi_services = str, None, false
 
 #Entry cache timeouts
 entry_cache_user_timeout = int, None, false

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -1706,6 +1706,30 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>pam_gssapi_services</term>
+                    <listitem>
+                        <para>
+                            Comma separated list of PAM services that are
+                            allowed to try GSSAPI authentication using
+                            pam_sss_gss.so module. This option can be also set
+                            in domain section.
+                        </para>
+                        <para>
+                            Note: This option can also be set per-domain which
+                            overwrites the value in [pam] section.
+                        </para>
+                        <para>
+                            Example:
+                            <programlisting>
+pam_gssapi_services = sudo, sudo-i
+                            </programlisting>
+                        </para>
+                        <para>
+                            Default: Not set (GSSAPI authentication is disabled)
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
 

diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
@@ -327,6 +327,29 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
         }
     }
 
+    ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
+                            CONFDB_PAM_GSSAPI_SERVICES, NULL, &tmpstr);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE,
+              "Failed to determine gssapi services.\n");
+        goto done;
+    }
+    DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
+                                 CONFDB_PAM_GSSAPI_SERVICES);
+
+    if (tmpstr == NULL) {
+        pctx->gssapi_services = NULL;
+    } else {
+        ret = split_on_separator(pctx, tmpstr, ',', true, true,
+                                 &pctx->gssapi_services, NULL);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE,
+                  "split_on_separator() failed [%d]: [%s].\n", ret,
+                  sss_strerror(ret));
+            goto done;
+        }
+    }
+
     /* The responder is initialized. Now tell it to the monitor. */
     ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
                                    SSS_PAM_SBUS_SERVICE_NAME,

diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
@@ -62,6 +62,9 @@ struct pam_ctx {
     int num_prompting_config_sections;
 
     enum pam_initgroups_scheme initgroups_scheme;
+
+    /* List of PAM services that are allowed to authenticate with GSSAPI. */
+    char **gssapi_services;
 };
 
 struct pam_auth_req {