Skip to content

Commit

Permalink
pam_sss: prefer Smartcard authentication
Browse files Browse the repository at this point in the history
The current behavior is that Smartcard authentication is preferred if
possible, i.e. if a Smartcard is present. Since the Smartcard (or
equivalent) must be inserted manually the assumption is that if the user
has inserted it they most probably want to use it for authentication.

With the latest patches pam_sss might receive multiple available
authentication methods. With this patch the checks for available
authentication types start Smartcard authentication to mimic the
existing behavior.

Resolves: #7152
  • Loading branch information
sumit-bose committed Mar 21, 2024
1 parent 825383b commit 90f9045
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions src/sss_client/pam_sss.c
Original file line number Diff line number Diff line change
Expand Up @@ -2544,17 +2544,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
} else if (pi->pc != NULL) {
ret = prompt_by_config(pamh, pi);
} else {
if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor (optional): "));
} else {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor: "));
}
} else if (pi->cert_list != NULL) {
if (pi->cert_list != NULL) {
if (pi->cert_list->next == NULL) {
/* Only one certificate */
pi->selected_cert = pi->cert_list;
Expand All @@ -2570,6 +2560,16 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|| (pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
/* Use pin prompt as fallback for gdm-smartcard */
ret = prompt_sc_pin(pamh, pi);
} else if (flags & PAM_CLI_FLAGS_USE_2FA
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
&& pi->otp_challenge != NULL)) {
if (pi->password_prompting) {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor (optional): "));
} else {
ret = prompt_2fa(pamh, pi, _("First Factor: "),
_("Second Factor: "));
}
} else if (pi->passkey_prompt_pin) {
ret = prompt_passkey(pamh, pi,
_("Insert your passkey device, then press ENTER."),
Expand Down

0 comments on commit 90f9045

Please sign in to comment.