-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial pkinit support #137
Conversation
There are some Coverity warnings:
|
pam_srv_test doesn't like being run under valgrind: |
48e5be1
to
4bc0525
Compare
Thank you for running the tests, the valgirind issue was the same as the last coverity warning. |
On (09/02/17 02:50), sumit-bose wrote:
Thank you for running the tests, the valgirind issue was the same as the last coverity warning.
The function get_pkinit_identity is defined inside following ifdef
`#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER`
but it is used without this `ifdef`. This feature is not available
on el6 and therefore there is a compilation error:
```
src/providers/krb5/krb5_child.c: In function 'get_and_save_tgt':
src/providers/krb5/krb5_child.c:1493: error: implicit declaration of function
'get_pkinit_identity'
src/providers/krb5/krb5_child.c: In function 'changepw_child':
```
There is also a warning:
```
Error: UNUSED_VALUE (CWE-563): [#def6]
sssd-1.15.1/src/responder/pam/pamsrv_cmd.c:742: returned_value: Assigning value from "pam_check_user_done(preq, ret)" to "ret" here, but that stored value is not used.
# 740| preq->cert_auth_local = true;
# 741| ret = check_cert(cctx, cctx->ev, pctx, preq, pd);
# 742|-> ret = pam_check_user_done(preq, ret);
# 743| return;
# 744| }
```
We should at least log a message.
LS
|
4bc0525
to
2e1925b
Compare
Hi Lukas, thank you for your comments. I move get_pkinit_identity() out if the ifdef block. For pam_check_user_done() I removed the assignment which should hopefully silence the Coverity warning. Since we use pam_check_user_done() without assigning the return code to a variable at other places as well I hope you agree with this. I think we can even make pam_check_user_done() to return void but this should be handled by a different patch. bye, |
There is a small issue where btw I'm battling a bit with the downstream tests, it looks like saying these patches break renewals wasn't right, because there is some issue with tests that makes the renewal downstream tests fail even with the current master. So I'm re-running the tests more or less one by one and inspecting the debug messages to see if we have more failures with the patches than with master. I'm also running some totally manual tests.. I will post more issues (if I see any) here, but in the meantime, I spotted only the function-used-before-defined one. |
OK, apart from the issue with the patch compilation, I found one more with manual testing -- it looks like changing the expired password of a newly created IPA user is not working correctly. I'm getting:
This works fine with the current master. Apart from that, I ran downstream tests for AD, LDAP/LDAP and LDAP/KRB5. Manual testing included:
The code looks mostly good, I will make another pass on it tomorrow, but I suppose if I even ask for anything, it would be comments or so. |
2e1925b
to
545dbaf
Compare
Thank you for review and testing. I fixed the issue with changing the expired password and reordered the patches so that sss_authtok_set_sc is defined before it is used. |
|
||
/* A missing pin is ok in the case of a reader with a keyboard */ | ||
if (pin == NULL) { | ||
pin = ""; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it would be nice to set the pin_len to strlen(pin) here to avoid issues if someone passed in NULL pin but non-zero pin_len. Same with other input strings.
src/sss_client/pam_sss.c
Outdated
&needed_size); | ||
if (ret != EOK) { | ||
D(("sss_auth_pack_sc_blob failed.")); | ||
ret = PAM_BUF_ERR; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like pi->pam_authtok is not freed here
src/sss_client/pam_sss.c
Outdated
|
||
if (pi->pam_authtok == NULL) { | ||
ret = PAM_BUF_ERR; | ||
goto done; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this block looks like it belongs before sss_auth_pack_sc_blob and after malloc
The patches work now, if the three small issues above and the individual compilation are addressed, I'll ack |
Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well.
ERR_SC_AUTH_NOT_SUPPORTED can be used by backends to indicate that Smartcard authentication is not supported. ERR_NO_AUTH_METHOD_AVAILABLE can be used by backends that no authentication method was found.
The blobs contains beside the PIN the name of the PKCS#11 module and the token name where the certificate of the user was found and the key id. Those data will be used e.g. by the pkinit module to make sure them right certificate is used.
545dbaf
to
24e5ec2
Compare
Thank you for the rigid review, I've fixed the comments move some strucht members to a previous patch to not break the individual compilation. |
On Wed, Feb 22, 2017 at 09:29:02AM -0800, sumit-bose wrote:
Thank you for the rigid review,
Since the review took so long, it better be good :-)
I've fixed the comments move some strucht members to a previous patch to not break the individual compilation.
All my comments were addressed and the patches still work fine. ACK.
|
This series of patches add initial support for PKINIT
(https://fedorahosted.org/sssd/ticket/3270) by forwarding the information about
the selected certificate from the Smartcard to the backends. Currently only
the krb5 backend supports Smartcard authentication the other backends will
return an error code which will tell the PAM responder to fall back to local
Smartcard authentication as it is currently the case.
Testing requires a working PKINIT setup which e.g. can be done with AD by
setting up a CA and generating certificates as described in
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD.
But currently more important is regression testing, i.e. making sure all other
authentication methods are still working as expected.