From 4ace27183200c110e9ae8fab5d40cac114ef1dd7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 5 Dec 2024 20:23:06 +0100 Subject: [PATCH] krb5_child: ignore Smartcard identifiers with a ':' libkrb5 expects the Smartcard identifiers like token name or label in a single strings separated by ':'. If one of the identifiers contain a ':' this breaks and since libkrb5 currently does not support escaping of ':' SSSD will ignore the Smartcard during its pre-auth step to determine the available authentication methods and will error out if this happens during the actual authentication step. Resolves: https://github.com/SSSD/sssd/issues/7746 --- src/providers/krb5/krb5_child.c | 40 +++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 8de0702add..b570ca4356 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1839,6 +1839,18 @@ static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx, module_name = "p11-kit-proxy.so"; } + /* The ':' character is used as a seperator and libkrb5 currently does not + * allow to escape it in names. So we have to error out if any of the + * names contains a ':' */ + if (strchr(token_name, ':') != NULL || strchr(module_name, ':') != NULL + || strchr(key_id, ':') != NULL || strchr(label, ':') != NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Some of the certificate identification data ([%s][%s][%s][%s]) " + "contain a ':' character\n", + token_name, module_name, key_id, label); + return ERR_INVALID_CONFIG; + } + identity = talloc_asprintf(mem_ctx, "PKCS11:module_name=%s", module_name); if (identity == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); @@ -2316,17 +2328,27 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, ret = get_pkinit_identity(kr, kr->pd->authtok, &identity); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "get_pkinit_identity failed.\n"); - return ret; + /* Skip Smartcard credentials during SSSD pre-auth if they contain + * invalid characters and figure out if other authentication + * methods are available. */ + if (ret == ERR_INVALID_CONFIG && kr->pd->cmd == SSS_PAM_PREAUTH) { + DEBUG(SSSDBG_OP_FAILURE, + "Smartcard credentials are ignored.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, "get_pkinit_identity failed.\n"); + return ret; + } } - kerr = krb5_get_init_creds_opt_set_pa(kr->ctx, kr->options, - "X509_user_identity", identity); - talloc_free(identity); - if (kerr != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "krb5_get_init_creds_opt_set_pa failed.\n"); - return kerr; + if (ret == EOK) { + kerr = krb5_get_init_creds_opt_set_pa(kr->ctx, kr->options, + "X509_user_identity", identity); + talloc_free(identity); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_get_init_creds_opt_set_pa failed.\n"); + return kerr; + } } /* TODO: Maybe X509_anchors should be added here as well */