Skip to content

Commit

Permalink
SSS_CLIENT: forward available auth JSON message
Browse files Browse the repository at this point in the history
Forward the available authentication mechanisms and their associated
data message to the GUI login using a PAM conversation. Then, obtain the
reply and forward it to the responder, so that it can parse it.

Signed-off-by: Iker Pedrosa <[email protected]>
Signed-off-by: Ray Strode <[email protected]>
  • Loading branch information
ikerexxe committed May 23, 2024
1 parent ff16734 commit b1f7d82
Show file tree
Hide file tree
Showing 5 changed files with 114 additions and 0 deletions.
7 changes: 7 additions & 0 deletions src/external/pam.m4
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,10 @@ AC_SUBST(GDM_PAM_EXTENSIONS_CFLAGS)
AS_IF([test x"$found_gdm_pam_extensions" = xyes],
[AC_DEFINE_UNQUOTED(HAVE_GDM_PAM_EXTENSIONS, 1,
[Build with gdm-pam-extensions support])])

AS_IF([test x"$found_gdm_pam_extensions" = xyes],
[AC_CHECK_HEADER([gdm/gdm-custom-json-pam-extension.h],
[AC_DEFINE_UNQUOTED(HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION, 1,
[Build with gdm-custom-json-pam-extension support])])])
AM_CONDITIONAL([HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION],
[test x"$found_gdm_pam_extensions" = xyes])
8 changes: 8 additions & 0 deletions src/sss_client/pam_message.c
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,10 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)
len += *pi->requested_domains != '\0' ?
2*sizeof(uint32_t) + pi->requested_domains_size : 0;
len += 3*sizeof(uint32_t); /* flags */
len += *pi->json_auth_msg != '\0' ?
2*sizeof(uint32_t) + pi->json_auth_msg_size : 0;
len += *pi->json_auth_selected != '\0' ?
2*sizeof(uint32_t) + pi->json_auth_selected_size : 0;

/* optional child_pid */
if(pi->child_pid > 0) {
Expand Down Expand Up @@ -178,6 +182,10 @@ int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer)

rp += add_uint32_t_item(SSS_PAM_ITEM_FLAGS, (uint32_t) pi->flags,
&buf[rp]);
rp += add_string_item(SSS_PAM_ITEM_JSON_AUTH_INFO, pi->json_auth_msg,
pi->json_auth_msg_size, &buf[rp]);
rp += add_string_item(SSS_PAM_ITEM_JSON_AUTH_SELECTED, pi->json_auth_selected,
pi->json_auth_selected_size, &buf[rp]);

SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp);

Expand Down
4 changes: 4 additions & 0 deletions src/sss_client/pam_message.h
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ struct pam_items {
char *first_factor;
char *passkey_key;
char *passkey_prompt_pin;
char *json_auth_msg;
size_t json_auth_msg_size;
const char *json_auth_selected;
size_t json_auth_selected_size;
bool password_prompting;

bool user_name_hint;
Expand Down
93 changes: 93 additions & 0 deletions src/sss_client/pam_sss.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@
#include <gdm/gdm-pam-extensions.h>
#endif

#ifdef HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION
#include <gdm/gdm-custom-json-pam-extension.h>
#endif

#include "sss_pam_compat.h"
#include "sss_pam_macros.h"

Expand Down Expand Up @@ -1349,6 +1353,19 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
break;
}
break;
case SSS_PAM_JSON_AUTH_INFO:
if (buf[p + (len - 1)] != '\0') {
D(("json auth info does not end with \\0."));
break;
}

free(pi->json_auth_msg);
pi->json_auth_msg = strdup((char *) &buf[p]);
if (pi->json_auth_msg == NULL) {
D(("strdup failed"));
break;
}
break;
default:
D(("Unknown response type [%d]", type));
}
Expand Down Expand Up @@ -1463,6 +1480,10 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
pi->pc = NULL;

pi->flags = flags;
if (pi->json_auth_msg == NULL) pi->json_auth_msg = strdup("");
pi->json_auth_msg_size = strlen(pi->json_auth_msg) + 1;
if (pi->json_auth_selected == NULL) pi->json_auth_selected = "";
pi->json_auth_selected_size = strlen(pi->json_auth_selected) + 1;

return PAM_SUCCESS;
}
Expand Down Expand Up @@ -1988,6 +2009,65 @@ static int prompt_passkey(pam_handle_t *pamh, struct pam_items *pi,
return ret;
}

static int auth_selection_conversation_gdm(pam_handle_t *pamh,
struct pam_items *pi)
{
#ifdef HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION
const struct pam_conv *conv;
GdmPamExtensionJSONProtocol *request = NULL;
GdmPamExtensionJSONProtocol *response = NULL;
struct pam_message prompt_message;
const struct pam_message *prompt_messages[1];
struct pam_response *reply = NULL;
int ret;

ret = pam_get_item(pamh, PAM_CONV, (const void **)&conv);
if (ret != PAM_SUCCESS) {
ret = EIO;
return ret;
}

request = calloc(1, GDM_PAM_EXTENSION_CUSTOM_JSON_SIZE);
if (request == NULL) {
ret = ENOMEM;
goto done;
}

GDM_PAM_EXTENSION_CUSTOM_JSON_REQUEST_INIT(request, "auth-mechanisms", 1,
pi->json_auth_msg);
GDM_PAM_EXTENSION_MESSAGE_TO_BINARY_PROMPT_MESSAGE(request,
&prompt_message);
prompt_messages[0] = &prompt_message;

ret = conv->conv(1, prompt_messages, &reply, conv->appdata_ptr);
if (ret != PAM_SUCCESS) {
ret = EIO;
goto done;
}

response = GDM_PAM_EXTENSION_REPLY_TO_CUSTOM_JSON_RESPONSE(reply);
if (response->json == NULL) {
ret = EIO;
goto done;
}

pi->json_auth_msg_size = strlen(pi->json_auth_msg)+1;
pi->json_auth_selected = strdup(response->json);
pi->json_auth_selected_size = strlen(response->json)+1;
ret = EOK;

done:
if (request != NULL) {
free(request);
}
free(response);

return ret;
#else
return ENOTSUP;
#endif /* HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION */
}

#define SC_PROMPT_FMT "PIN for %s: "

#ifndef discard_const
Expand Down Expand Up @@ -2986,6 +3066,19 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
* errors can be ignored here.
*/
}

if (pi.json_auth_msg != NULL
&& strcmp(pi.json_auth_msg, "") != 0) {
ret = auth_selection_conversation_gdm(pamh, &pi);
if (ret == EOK) {
break;
} else if (ret == ENOTSUP) {
D(("gdm-custom-json-pam-extensions not supported."));
} else {
D(("auth_selection_conversation_gdm failed."));
return ret;
}
}
}

if (flags & PAM_CLI_FLAGS_TRY_CERT_AUTH
Expand Down
2 changes: 2 additions & 0 deletions src/sss_client/sss_cli.h
Original file line number Diff line number Diff line change
Expand Up @@ -413,6 +413,8 @@ enum pam_item_type {
SSS_PAM_ITEM_CHILD_PID,
SSS_PAM_ITEM_REQUESTED_DOMAINS,
SSS_PAM_ITEM_FLAGS,
SSS_PAM_ITEM_JSON_AUTH_INFO,
SSS_PAM_ITEM_JSON_AUTH_SELECTED,
};

#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
Expand Down

0 comments on commit b1f7d82

Please sign in to comment.