Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

krb5_child: ignore Smartcard identifiers with a ':' #7748

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

krb5_child: ignore Smartcard identifiers with a ':' #7748

wants to merge 1 commit into from

Conversation

sumit-bose
Copy link
Contributor

libkrb5 expects the Smartcard identifiers like token name or label in a
single strings separated by ':'. If one of the identifiers contain a ':'
this breaks and since libkrb5 currently does not support escaping of ':'
SSSD will ignore the Smartcard during its pre-auth step to determine
the available authentication methods and will error out if this happens
during the actual authentication step.

Resolves: #7746

@alexey-tikhonov
Copy link
Member

since libkrb5 currently does not support escaping of ':'

Isn't it libkrb5 bug?

@alexey-tikhonov
Copy link
Member

Will this apply to sssd-2.9 cleanly?

@sumit-bose
Copy link
Contributor Author

Will this apply to sssd-2.9 cleanly?

Hi,

yes, worked for me.

bye,
Sumit

@sumit-bose
Copy link
Contributor Author

since libkrb5 currently does not support escaping of ':'

Isn't it libkrb5 bug?

Hi,

I will open a ticket to make them aware, but I guess it is first an issue about documenting this limitation.

bye,
Sumit

ikerexxe
ikerexxe reviewed Dec 12, 2024
View reviewed changes
Copy link
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Except for a small note it looks good

src/providers/krb5/krb5_child.c Outdated Show resolved Hide resolved
@sumit-bose
krb5_child: ignore Smartcard identifiers with a ':'
4ace271 
libkrb5 expects the Smartcard identifiers like token name or label in a
single strings separated by ':'. If one of the identifiers contain a ':'
this breaks and since libkrb5 currently does not support escaping of ':'
SSSD will ignore the Smartcard during its pre-auth step to determine
the available authentication methods and will error out if this happens
during the actual authentication step.

Resolves: SSSD#7746
@sumit-bose sumit-bose force-pushed the krb5_child_pkcs11_ignore_colon branch from 0b72240 to 4ace271 Compare December 12, 2024 09:31
ikerexxe
ikerexxe approved these changes Dec 13, 2024
View reviewed changes
Copy link
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikerexxe ikerexxe ikerexxe approved these changes

@alexey-tikhonov alexey-tikhonov Awaiting requested review from alexey-tikhonov

Assignees

@ikerexxe ikerexxe

@alexey-tikhonov alexey-tikhonov

Labels
branch: sssd-2-9 branch: sssd-2-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

krb5_child couldn't parse pkcs11 objects if token label contains semicolon
3 participants
@sumit-bose @alexey-tikhonov @ikerexxe