passkey: Skip processing non-passkey mapping data

In the AD case, the user altSecurityIdentities attribute can store passkey, smartcard, or ssh public key mapping data. Check to ensure we are handling passkey data before continuing in PAM passkey processing. Resolves: SSSD#7061
justin-stephenson · Dec 4, 2023 · d501cd6 · d501cd6
1 parent cffe6e0
commit d501cd6
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/src/responder/pam/pamsrv_passkey.c b/src/responder/pam/pamsrv_passkey.c
@@ -489,6 +489,20 @@ errno_t process_passkey_data(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    /* Don't try to process smartcard of sshpubkey mapping data */
+    ret = split_on_separator(tmp_ctx, (const char *) el->values[0].data, ':', true, true,
+                             &mappings, NULL);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Incorrectly formatted passkey data [%d]: %s\n",
+                                 ret, sss_strerror(ret));
+        ret = ENOENT;
+        goto done;
+    } else if (strcasecmp(mappings[0], "passkey") != 0) {
+        DEBUG(SSSDBG_OP_FAILURE, "Mapping data found is not passkey related\n");
+        ret = ENOENT;
+        goto done;
+    }
+
     kh_mappings = talloc_zero_array(tmp_ctx, const char *, el->num_values + 1);
     if (kh_mappings == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n");
@@ -624,7 +638,10 @@ void pam_passkey_get_user_done(struct tevent_req *req)
     /* Get passkey data */
     DEBUG(SSSDBG_TRACE_ALL, "Processing passkey data\n");
     ret = process_passkey_data(pk_data, result->msgs[0], domain_name, pk_data);
-    if (ret == ENOENT) {
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "process_passkey_data failed: [%d]: %s\n",
+              ret, sss_strerror(ret));
         goto done;
     }