Skip to content

Commit

Permalink
pam_sss: prefer Smartcard authentication
Browse files Browse the repository at this point in the history
The current behavior is that Smartcard authentication is preferred if
possible, i.e. if a Smartcard is present. Since the Smartcard (or
equivalent) must be inserted manually the assumption is that if the user
has inserted it they most probably want to use it for authentication.

With the latest patches pam_sss might receive multiple available
authentication methods. With this patch the checks for available
authentication types start Smartcard authentication to mimic the
existing behavior.

Resolves: #7152

Reviewed-by: Alejandro López <[email protected]>
Reviewed-by: Justin Stephenson <[email protected]>
(cherry picked from commit 0d5e8f1)
  • Loading branch information
sumit-bose authored and alexey-tikhonov committed Mar 21, 2024
1 parent 87b54bd commit d06b4a3
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions src/sss_client/pam_sss.c
Original file line number Diff line number Diff line change
Expand Up @@ -2544,17 +2544,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
} else if (pi->pc != NULL) {
ret = prompt_by_config(pamh, pi);
} else {
if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor (optional): "));
} else {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor: "));
}
} else if (pi->cert_list != NULL) {
if (pi->cert_list != NULL) {
if (pi->cert_list->next == NULL) {
/* Only one certificate */
pi->selected_cert = pi->cert_list;
Expand All @@ -2570,6 +2560,16 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|| (pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
/* Use pin prompt as fallback for gdm-smartcard */
ret = prompt_sc_pin(pamh, pi);
} else if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor (optional): "));
} else {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor: "));
}
} else if (pi->passkey_prompt_pin) {
ret = prompt_passkey(pamh, pi,
_("Insert your passkey device, then press ENTER."),
Expand Down

0 comments on commit d06b4a3

Please sign in to comment.