[autobackport: sssd-2-13] pam: handle protected authentication path#8698
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements support for the PKCS#11 protected authentication path. The changes allow p11_child to detect the CKF_PROTECTED_AUTHENTICATION_PATH flag and pass it to the PAM responder, which then informs the SSSD client to use an external keypad prompt and PAM_TEXT_INFO message style instead of a standard PIN prompt. The PR also includes security improvements such as secure memory erasure for GDM extension responses and the adoption of safealign_memcpy for packing certificate data. I have no feedback to provide.
alexey-tikhonov
added
no-backport
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit d6483bb)
If a Smartcard reader has a built-in keypad or keyboard the flag CKF_PROTECTED_AUTHENTICATION_PATH is set in the token info data. To properly tell the user that the pin must be given at the reader directly and not at the computer this information must be propagated to the pam_sss module. Resolves: SSSD#5371 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 016bc7a)
sss_authtok_set_sc_keypad() does not set which token and certificate should be used for authentication, just using sss_authtok_set_sc() with SSS_AUTHTOK_TYPE_SC_KEYPAD as type is sufficient. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit f3aea67)
In case the conversation callback allocates memory for a reply we have to free it. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 084268f)
Use safealign_memcpy() instead of plain memcpy() and add a consistency check. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 50a3838)
|
The pull request was accepted by @alexey-tikhonov with the following PR CI status: 🟢 rpm-build:centos-stream-10-x86_64:upstream (success) There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging. |
sssd-bot
force-pushed
the
SSSD-sssd-backport-pr8599-to-sssd-2-13
branch
from
ca6e842 to
7312420
Compare
4 participants
This is an automatic backport of PR#8599 pam: handle protected authentication path to branch sssd-2-13, created by @sumit-bose.
Please make sure this backport is correct.
Note
The commits were cherry-picked without conflicts.
You can push changes to this pull request
Original commits
d6483bb - p11_child: ignore failure of C_GetTokenInfo
016bc7a - pam: handle protected authentication path
f3aea67 - authtok: remove sss_authtok_set_sc_keypad()
084268f - pam_sss: fix potential memory leak
50a3838 - pam: refactor pack_cert_data
Backported commits
Original Pull Request Body
If a Smartcard reader has a built-in keypad or keyboard the flag
CKF_PROTECTED_AUTHENTICATION_PATH is set in the token info data. To
properly tell the user that the pin must be given at the reader directly
and not at the computer this information must be propagated to the
pam_sss module.
Resolves: #5371