Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAM: user feedback when login fails due to blocked PIN #6162

Closed
wants to merge 3 commits into from

Conversation

alexey-tikhonov
Copy link
Member

Resolves: #6153

@alexey-tikhonov
Copy link
Member Author

Tested manually:

$ su test2
PIN for test2: 
PIN locked
su: Authentication failure

@alexey-tikhonov alexey-tikhonov changed the title [WiP] PAM: user feedback when login fails due to blocked PIN PAM: user feedback when login fails due to blocked PIN May 16, 2022
@@ -1072,6 +1072,11 @@ static void pam_reply(struct pam_auth_req *preq)
pam_account_expired_message);
}

if (pd->pam_status == PAM_MAXTRIES) {
pd->pam_status = PAM_AUTH_ERR;
inform_user(pd, SSS_PAM_USER_INFO_PIN_LOCKED, "PIN locked");
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sumit-bose, does this message need a localization?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing is, probably it's not worth providing this string from sssd_pam to sss_client at all. It could be hard-coded in sss_client...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

sorry for the delay. Yes, I think it is a good idea to have a localization for this string and as a consequence it would be better to just send the type and let pam_sss generate the message, in the locale of the calling environment, similar to SSS_PAM_USER_INFO_OTP_CHPASS and user_info_otp_chpass().

bye,
Sumit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM.

@sumit-bose
Copy link
Contributor

Hi,

thank you for the updates, you accidentally added translation files to the commit.

Additionally I wonder if it wouldn't be easier to call pam_add_response() not in pam_reply() but directly after parse_p11_child_response() is called and has returned ERR_P11_PIN_LOCKED. The pam_data struct is already passed to the pam_check_cert_send() request and just has to be added to the state struct. This would keep everything Smartcard related into pamsrv_p11.c and avoid the switching between different return values and does not block PAM_MAXTRIES from other usage.

bye,
Sumit

@alexey-tikhonov
Copy link
Member Author

thank you for the updates, you accidentally added translation files to the commit.

Hm, but I did this intentionally: since patch adds new _() string, I rebuild po-files (to make translation team aware of new string). Is this wrong?

Additionally I wonder if it wouldn't be easier to call pam_add_response() not in pam_reply() but directly after parse_p11_child_response() is called and has returned ERR_P11_PIN_LOCKED. The pam_data struct is already passed to the pam_check_cert_send() request and just has to be added to the state struct. This would keep everything Smartcard related into pamsrv_p11.c and avoid the switching between different return values and does not block PAM_MAXTRIES from other usage.

That's better, right. I didn't know it was possible. Thanks.

@alexey-tikhonov
Copy link
Member Author

thank you for the updates, you accidentally added translation files to the commit.

Hm, but I did this intentionally: since patch adds new _() string, I rebuild po-files (to make translation team aware of new string). Is this wrong?

Or do I need to commit only po/sssd.pot?

@sumit-bose
Copy link
Contributor

thank you for the updates, you accidentally added translation files to the commit.

Hm, but I did this intentionally: since patch adds new _() string, I rebuild po-files (to make translation team aware of new string). Is this wrong?

Or do I need to commit only po/sssd.pot?

Hi,

I think this should be sufficient but I'm currently not sure how translations are handled. I remember some long time ago we had some string-freeze, say 4 weeks before a release, where the pot file was updates and pushed upstream so that translators could add there contributions which were then pulled in before the release was done. But currently it look like the pot file is updated directly before a release. @pbrezina, do you have any details here?

bye,
Sumit

@alexey-tikhonov
Copy link
Member Author

alexey-tikhonov commented Jun 15, 2022

I remember some long time ago we had some string-freeze, say 4 weeks before a release, where the pot file was updates and pushed upstream so that translators could add there contributions which were then pulled in before the release was done.

This is exactly my intention, because this is last planned patch that touches strings in 2.7.z series.

I don't know if sssd.pot would be enough, but I think rebuilding all po-files won't hurt?

@alexey-tikhonov
Copy link
Member Author

Additionally I wonder if it wouldn't be easier to call pam_add_response() not in pam_reply() but directly after parse_p11_child_response() is called and has returned ERR_P11_PIN_LOCKED. The pam_data struct is already passed to the pam_check_cert_send() request and just has to be added to the state struct. This would keep everything Smartcard related into pamsrv_p11.c and avoid the switching between different return values and does not block PAM_MAXTRIES from other usage.

That's better, right. I didn't know it was possible. Thanks.

Done in the latest version.

I also dropped all po-files updates per agreement with @pbrezina.

@alexey-tikhonov
Copy link
Member Author

Rebased.

@alexey-tikhonov
Copy link
Member Author

Covscan complains:

Error: :Error: CHECKED_RETURN (CWE-252):
sssd-pr6162/src/responder/pam/pamsrv_p11.c:1021: check_return: Calling "pam_add_response" without checking return value (as is done elsewhere 37 out of 42 times).

But I don't think it's worth addressing. There is no action to take in case pam_add_response() fails.

@alexey-tikhonov
Copy link
Member Author

(Requesting re-review by @justin-stephenson because patch was changed.)

Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

functionality works as expected.

[justin@agalloch yubikey]$ yubico-piv-tool -a verify -P 000000
Pin verification failed, 2 tries left before pin is blocked.
[justin@agalloch yubikey]$ yubico-piv-tool -a verify -P 000000
Pin verification failed, 1 tries left before pin is blocked.
[justin@agalloch yubikey]$ yubico-piv-tool -a verify -P 000000
Pin code blocked, use unblock-pin action to unblock.
[justin@agalloch yubikey]$ su - test
PIN for test: 
PIN locked
su: Authentication failure

Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

code looks good and my test were successful as well, ACK.

bye,
Sumit

@pbrezina
Copy link
Member

Pushed PR: #6162

  • master
    • 5433961 - PAM: user feedback when login fails due to blocked PIN
    • f119522 - PAM P11: fixed minor mem-leak
    • 1ed59fb - PAM P11: fixed mistype in a log message
  • sssd-2-7
    • f0609d8 - PAM: user feedback when login fails due to blocked PIN
    • aec9733 - PAM P11: fixed minor mem-leak
    • abc2ae5 - PAM P11: fixed mistype in a log message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-to-stable Targets also latest stable branch Bugzilla Pushed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Provide user feedback when login fails due to blocked PIN
4 participants