krb5: check for PIN locked in error message

sumit-bose · sumit-bose · commit 30c80a94855f · 2026-01-23T09:49:29.000+01:00
Currently the PIN locked message is only displays if the Smartcard
authentication is done locally, e.g. if the system is offline. During
pkinit libkrb5 does not send a dedicated error code but the error
message generated by the library contains a hint.

This patch checks the libkrb5 error message in case the authentication
fails with the pre-authentication failed error code. This is a bit
tricky because 'krb5_get_error_message()' currently only returns a
defined result at the first call after a failed library call.
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
@@ -137,6 +137,31 @@ static krb5_context krb5_error_ctx;
 
 #define KRB5_CHILD_DEBUG(level, error) KRB5_CHILD_DEBUG_INT(level, krb5_error_ctx, error)
 
+static bool debug_and_check_if_pin_locked_error(krb5_context ctx, int level,
+                                                krb5_error_code krb5_error)
+{
+    const char *krb5_error_msg;
+    bool res = false;
+
+    krb5_error_msg = sss_krb5_get_error_message(ctx, krb5_error);
+    if (krb5_error_msg == NULL) {
+        return false;
+    }
+
+    if (strstr(krb5_error_msg, "pin locked") != NULL) {
+        res = true;
+    }
+
+    DEBUG(level, "%d: [%d][%s]\n", __LINE__, krb5_error, krb5_error_msg);
+    if (level & (SSSDBG_CRIT_FAILURE | SSSDBG_FATAL_FAILURE)) {
+         sss_log(SSS_LOG_ERR, "%s", krb5_error_msg);
+    }
+
+    sss_krb5_free_error_message(ctx, krb5_error_msg);
+
+    return res;
+}
+
 static krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname,
                                      krb5_principal server_principal,
                                      krb5_principal client_principal,
@@ -2404,6 +2429,7 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
     char *cc_name;
     int ret;
     char *identity = NULL;
+    const uint32_t user_info_pin_locked = SSS_PAM_USER_INFO_PIN_LOCKED;
 
     kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options,
                                                   sss_krb5_expire_callback_func,
@@ -2469,7 +2495,26 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
         return 0;
     } else {
         if (kerr != 0) {
-            KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+            /* Check of a locked Smartcard PIN, must be called before/instead
+             * of KRB5_CHILD_DEBUG because krb5_get_error_message() might only
+             * return the proper error message at the first call. */
+            if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
+                    && kerr == KRB5_PREAUTH_FAILED
+                    && kr->pkinit_prompting == true
+                    && IS_SC_AUTHTOK(kr->pd->authtok) ) {
+                if (debug_and_check_if_pin_locked_error(kr->ctx,
+                                                  SSSDBG_CRIT_FAILURE, kerr) ) {
+                    ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO,
+                                           sizeof(uint32_t),
+                                           (const uint8_t *) &user_info_pin_locked);
+                    if (ret != EOK) {
+                        DEBUG(SSSDBG_OP_FAILURE,
+                              "Failed to add PIN locked message.\n");
+                    }
+                }
+            } else {
+                KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+            }
 
             if (kerr == EAGAIN) {
                 /* The most probable reason for krb5_get_init_creds_password()
