Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passwordless-GDM integration: smartcard and passkey #11

Draft
wants to merge 13 commits into
base: passwordless_gdm
Choose a base branch
from
Draft
4 changes: 4 additions & 0 deletions src/confdb/confdb.h
Original file line number Diff line number Diff line change
Expand Up @@ -329,11 +329,15 @@
#define CONFDB_PC_TYPE_PASSKEY "passkey"
#define CONFDB_PC_PASSKEY_INTERACTIVE "interactive"
#define CONFDB_PC_PASSKEY_INTERACTIVE_PROMPT "interactive_prompt"
#define CONFDB_PC_PASSKEY_PIN_PROMPT "pin_prompt"
#define CONFDB_PC_PASSKEY_TOUCH "touch"
#define CONFDB_PC_PASSKEY_TOUCH_PROMPT "touch_prompt"
#define CONFDB_PC_TYPE_EIDP "eidp"
#define CONFDB_PC_EIDP_INIT_PROMPT "init_prompt"
#define CONFDB_PC_EIDP_LINK_PROMPT "link_prompt"
#define CONFDB_PC_TYPE_SMARTCARD "smartcard"
#define CONFDB_PC_SMARTCARD_INIT_PROMPT "init_prompt"
#define CONFDB_PC_SMARTCARD_PIN_PROMPT "pin_prompt"

struct confdb_ctx;

Expand Down
8 changes: 8 additions & 0 deletions src/config/cfg_rules.ini
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,7 @@ section_re = ^prompting/passkey$

option = interactive
option = interactive_prompt
option = pin_prompt
option = touch
option = touch_prompt

Expand All @@ -335,6 +336,13 @@ section_re = ^prompting/eidp$
option = init_prompt
option = link_prompt

[rule/allowed_prompting_smartcard_options]
validator = ini_allowed_options
section_re = ^prompting/smartcard$

option = init_prompt
option = pin_prompt

[rule/allowed_prompting_password_subsec_options]
validator = ini_allowed_options
section_re = ^prompting/password/[^/\@]\+$
Expand Down
33 changes: 33 additions & 0 deletions src/man/sssd.conf.5.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4631,6 +4631,13 @@ ldap_user_extra_attrs = phone:telephoneNumber
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pin_prompt</term>
<listitem>
<para>to change the message of the PIN prompt.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>touch</term>
<listitem>
Expand Down Expand Up @@ -4677,6 +4684,32 @@ ldap_user_extra_attrs = phone:telephoneNumber
</listitem>
</varlistentry>
</variablelist>
<variablelist>
<varlistentry>
<term>[prompting/smartcard]</term>
<listitem>
<para>to configure smartcard authentication prompting,
allowed options are:
<variablelist>
<varlistentry>
<term>init_prompt</term>
<listitem>
<para>to change the message of the initial prompt.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>pin_prompt</term>
<listitem>
<para>to change the message of the PIN prompt.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
<para>
It is possible to add a subsection for specific PAM services,
Expand Down
62 changes: 53 additions & 9 deletions src/responder/pam/pam_prompting_config.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,12 @@
#include "responder/pam/pamsrv.h"

#define DEFAULT_PASSKEY_PROMPT_INTERACTIVE _("Insert your Passkey device, then press ENTER.")
#define DEFAULT_PASSKEY_PROMPT_PIN _("Security key PIN")
#define DEFAULT_PASSKEY_PROMPT_TOUCH _("Please touch the device.")
#define DEFAULT_EIDP_PROMPT_INIT _("Log In.")
#define DEFAULT_EIDP_PROMPT_LINK _("Log in online with another device.")
#define DEFAULT_SMARTCARD_PROMPT_INIT _("Insert smartcard")
#define DEFAULT_SMARTCARD_PROMPT_PIN _("PIN")

typedef errno_t (pam_set_prompting_fn_t)(TALLOC_CTX *, struct confdb_ctx *,
const char *,
Expand Down Expand Up @@ -109,6 +112,7 @@ static errno_t pam_set_passkey_prompting_options(TALLOC_CTX *tmp_ctx,
{
bool passkey_interactive = false;
char *passkey_interactive_prompt = NULL;
char *passkey_pin_prompt = NULL;
bool passkey_touch = false;
char *passkey_touch_prompt = NULL;
int ret;
Expand All @@ -128,6 +132,12 @@ static errno_t pam_set_passkey_prompting_options(TALLOC_CTX *tmp_ctx,
}
}

ret = confdb_get_string(cdb, tmp_ctx, section, CONFDB_PC_PASSKEY_PIN_PROMPT,
DEFAULT_PASSKEY_PROMPT_PIN, &passkey_pin_prompt);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "confdb_get_string failed, using defaults");
}

ret = confdb_get_bool(cdb, section, CONFDB_PC_PASSKEY_TOUCH, false,
&passkey_touch);
if (ret != EOK) {
Expand All @@ -142,7 +152,8 @@ static errno_t pam_set_passkey_prompting_options(TALLOC_CTX *tmp_ctx,
}
}

ret = pc_list_add_passkey(pc_list, passkey_interactive_prompt, passkey_touch_prompt);
ret = pc_list_add_passkey(pc_list, passkey_interactive_prompt,
passkey_pin_prompt, passkey_touch_prompt);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "pc_list_add_passkey_touch failed.\n");
}
Expand Down Expand Up @@ -179,6 +190,36 @@ static errno_t pam_set_eidp_prompting_options(TALLOC_CTX *tmp_ctx,
return ret;
}

static errno_t
pam_set_smartcard_prompting_options(TALLOC_CTX *tmp_ctx,
struct confdb_ctx *cdb,
const char *section,
struct prompt_config ***pc_list)
{
char *init_prompt = NULL;
char *pin_prompt = NULL;
int ret;

ret = confdb_get_string(cdb, tmp_ctx, section, CONFDB_PC_SMARTCARD_INIT_PROMPT,
DEFAULT_SMARTCARD_PROMPT_INIT, &init_prompt);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "confdb_get_string failed, using defaults");
}

ret = confdb_get_string(cdb, tmp_ctx, section, CONFDB_PC_SMARTCARD_PIN_PROMPT,
DEFAULT_SMARTCARD_PROMPT_PIN, &pin_prompt);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "confdb_get_string failed, using defaults");
}

ret = pc_list_add_smartcard(pc_list, init_prompt, pin_prompt);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "pc_list_add_smartcard failed.\n");
}

return ret;
}

static errno_t pam_set_prompting_options(struct confdb_ctx *cdb,
const char *service_name,
char **sections,
Expand Down Expand Up @@ -293,14 +334,17 @@ errno_t pam_eval_prompting_config(struct pam_ctx *pctx, struct pam_data *pd,
}

if (types.cert_auth) {
/* If certificate based authentication is possilbe, i.e. a Smartcard
* or similar with the mapped certificate is available we currently
* prefer this authentication type unconditionally. If other types
* should be used the Smartcard can be removed during authentication.
* Since there currently are no specific options for cert_auth we are
* done. */
ret = EOK;
goto done;
ret = pam_set_prompting_options(pctx->rctx->cdb, pd->service,
pctx->prompting_config_sections,
pctx->num_prompting_config_sections,
CONFDB_PC_TYPE_SMARTCARD,
pam_set_smartcard_prompting_options,
&pc_list);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"pam_set_prompting_options failed.\n");
goto done;
}
}

/* If OTP and password auth are possible we currently prefer OTP. */
Expand Down
3 changes: 3 additions & 0 deletions src/responder/pam/pamsrv_cmd.c
Original file line number Diff line number Diff line change
Expand Up @@ -1545,9 +1545,12 @@ void pam_reply(struct pam_auth_req *preq)
}
#endif /* BUILD_PASSKEY */

DEBUG(SSSDBG_OP_FAILURE, "ikertxo: before ifdef\n"); //TODO: delete
#ifdef HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION
DEBUG(SSSDBG_OP_FAILURE, "ikertxo: after ifdef\n"); //TODO: delete
if (is_pam_json_enabled(pctx->json_services,
pd->service)) {
DEBUG(SSSDBG_OP_FAILURE, "ikertxo: after if1\n"); //TODO: delete
ret = generate_json_auth_message(pctx->rctx->cdb, pc_list, pd);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
Expand Down
Loading
Loading