[autobackport: sssd-2-13] krb5: restart krb5_child for Smartcard authentication#8700
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request modifies the Kerberos authentication provider in src/providers/krb5/krb5_auth.c to restart the krb5_child process during Smartcard authentication if a different certificate is selected. The change introduces a check to terminate the existing child process when a Smartcard authentication token is used during a PAM authentication command, ensuring the correct certificate is processed. I have no feedback to provide as there were no review comments to evaluate.
In contrast to other authentication methods for PKINIT some information about the used Smartcard and certificate are already needed for the pre-authentication step to trigger the MIT Kerberos PKINIT module to get back the information if PKINIT is possible or not and if the Smartcard can be used for authentication. If krb5_child is kept running between the pre-authentication and the authentication step the information given during pre-authentication is used if Smartcard authentication was selected. As long as only a single certificate is available there is no issue. But if there are multiple certificates which all apply to the given mapping and matching rules for the user trying to log in and the user can choose a certificate for authentication the authentication might fail if the certificate use during pre-authentication and the one selected by the user differ. Before the change to keep krb5_child running for all authentication methods this was not an issue since the fresh instance started during the authentication step was using the certificate selected by the user. With this patch krb5_child is restart during the authentication step is Smartcard authentication was selected. Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit f3a36be) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
The pull request was accepted by @alexey-tikhonov with the following PR CI status: 🟢 rpm-build:centos-stream-10-x86_64:upstream (success) There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging. |
sssd-bot
force-pushed
the
SSSD-sssd-backport-pr8629-to-sssd-2-13
branch
from
372d189 to
a9b7bcc
Compare
5 participants
This is an automatic backport of PR#8629 krb5: restart krb5_child for Smartcard authentication to branch sssd-2-13, created by @sumit-bose.
Please make sure this backport is correct.
Note
The commits were cherry-picked without conflicts.
You can push changes to this pull request
Original commits
f3a36be - krb5: restart krb5_child for Smartcard authentication
Backported commits
Original Pull Request Body
In contrast to other authentication methods for PKINIT some information about the used Smartcard and certificate are already needed for the pre-authentication step to trigger the MIT Kerberos PKINIT module to get back the information if PKINIT is possible or not and if the Smartcard can be used for authentication. If krb5_child is kept running between the pre-authentication and the authentication step the information given during pre-authentication is used if Smartcard authentication was selected.
As long as only a single certificate is available there is no issue. But if there are multiple certificates which all apply to the given mapping and matching rules for the user trying to log in and the user can choose a certificate for authentication the authentication might fail if the certificate use during pre-authentication and the one selected by the user differ. Before the change to keep krb5_child running for all authentication methods this was not an issue since the fresh instance started during the authentication step was using the certificate selected by the user.
With this patch krb5_child is restart during the authentication step is Smartcard authentication was selected.