SSSD
diff --git a/‎Makefile.am‎
Lines changed: 8 additions & 2 deletions b/‎Makefile.am‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎src/krb5_plugin/passkey/passkey.h‎
Lines changed: 5 additions & 0 deletions b/‎src/krb5_plugin/passkey/passkey.h‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/krb5_plugin/passkey/passkey_utils.c‎
Lines changed: 36 additions & 0 deletions b/‎src/krb5_plugin/passkey/passkey_utils.c‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎src/responder/pam/pamsrv_cmd.c‎
Lines changed: 30 additions & 7 deletions b/‎src/responder/pam/pamsrv_cmd.c‎
Lines changed: 30 additions & 7 deletions
@@ -1516,9 +1516,11 @@ sssd_pam_SOURCES = \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
     src/responder/pam/pam_helpers.c \
+    src/krb5_plugin/common/utils.c \
     $(SSSD_RESPONDER_OBJ)
 if BUILD_PASSKEY
-    sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c
+    sssd_pam_SOURCES += src/responder/pam/pamsrv_passkey.c \
+                        src/krb5_plugin/passkey/passkey_utils.c
 endif
 sssd_pam_CFLAGS = \
     $(AM_CFLAGS) \
@@ -1528,6 +1530,7 @@ sssd_pam_LDADD = \
     $(LIBADD_DL) \
     $(TDB_LIBS) \
     $(SSSD_LIBS) \
+    $(JANSSON_LIBS) \
     $(SELINUX_LIBS) \
     $(PAM_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
@@ -2563,6 +2566,7 @@ pam_srv_tests_SOURCES = \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pam_prompting_config.c \
     src/sss_client/pam_sss_prompt_config.c \
+    src/krb5_plugin/common/utils.c \
     $(NULL)
 pam_srv_tests_CFLAGS = \
     -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \
@@ -2584,6 +2588,7 @@ pam_srv_tests_LDADD = \
     $(PAM_LIBS) \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
+    $(JANSSON_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
     libsss_test_common.la \
     libsss_idmap.la \
@@ -2592,7 +2597,8 @@ pam_srv_tests_LDADD = \
     libsss_sbus.la \
     $(NULL)
 if BUILD_PASSKEY
-     pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c
+     pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c \
+							  src/krb5_plugin/passkey/passkey_utils.c
 endif # BUILD_PASSKEY
 
 EXTRA_ssh_srv_tests_DEPENDENCIES = \
 
@@ -100,6 +100,11 @@ sss_passkey_message_encode_padata(const struct sss_passkey_message *data);
 struct sss_passkey_message *
 sss_passkey_message_decode_padata(krb5_pa_data *padata);
 
+int
+sss_passkey_preflight_from_json(const char *json_str,
+                                int *_pin_required,
+                                int *_attempts);
+
 krb5_pa_data **
 sss_passkey_message_encode_padata_array(const struct sss_passkey_message *data);
 
 
@@ -561,6 +561,42 @@ sss_passkey_message_from_reply_json(enum sss_passkey_phase phase,
     return message;
 }
 
+int
+sss_passkey_preflight_from_json(const char *json_str,
+                                int *_pin_required,
+                                int *_attempts)
+{
+    json_t *jroot;
+    json_error_t jret;
+    int ret;
+    int pin_required;
+    int attempts;
+
+    jroot = json_loads(json_str, 0, &jret);
+    if (jroot == NULL) {
+        return ENOMEM;
+    }
+
+    ret = json_unpack(jroot, "{s:b, s:i}",
+                "pin_required", &pin_required,
+                "attempts", &attempts);
+    if (ret != 0) {
+        ret = EINVAL;
+        goto done;
+    }
+
+    *_pin_required = pin_required;
+    *_attempts = attempts;
+
+    ret = 0;
+done:
+    if (jroot != NULL) {
+        json_decref(jroot);
+    }
+
+    return ret;
+}
+
 char *
 sss_passkey_message_encode(const struct sss_passkey_message *data)
 {
 
@@ -1512,7 +1512,18 @@ void pam_reply(struct pam_auth_req *preq)
             && !pk_preauth_done
             && preq->passkey_data_exists
             && local_passkey_auth_allow) {
-            ret = passkey_local(cctx, cctx->ev, pctx, preq, pd);
+            if (pd->cmd == SSS_PAM_PREAUTH) {
+                /* execute passkey child preflight operation, in passkey_preflight_done()
+                 * pam_reply is called */
+                ret = passkey_child_execute(cctx, cctx, cctx->ev, preq, pctx, pd, PAM_PASSKEY_OP_PREFLIGHT);
+                if (ret != EOK) {
+                    DEBUG(SSSDBG_OP_FAILURE,
+                          "Passkey child execute failed %s [%d].\n", sss_strerror(ret), ret);
+                    goto done;
+                }
+                return;
+            }
+
             pam_check_user_done(preq, ret);
             return;
         }
@@ -1897,6 +1908,9 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
     struct pam_auth_req *preq;
     struct pam_data *pd;
     int ret;
+#ifdef BUILD_PASSKEY
+    enum passkey_child_op passkey_op = PAM_PASSKEY_OP_INVALID;
+#endif
     struct pam_ctx *pctx =
             talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx);
     struct tevent_req *req;
@@ -1978,11 +1992,14 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
     if ((pd->cmd == SSS_PAM_AUTHENTICATE)) {
         if (may_do_passkey_auth(pctx, pd)) {
             if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY_KRB) {
-                ret = passkey_kerberos(pctx, preq->pd, preq);
-                goto done;
+                passkey_op = PAM_PASSKEY_OP_KERBEROS_AUTH;
             } else if ((sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY) ||
                       (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_EMPTY)) {
-                ret = passkey_local(cctx, cctx->ev, pctx, preq, pd);
+                passkey_op = PAM_PASSKEY_OP_LOCAL_AUTH;
+            }
+
+            if (passkey_op == PAM_PASSKEY_OP_KERBEROS_AUTH || passkey_op == PAM_PASSKEY_OP_LOCAL_AUTH) {
+                ret = passkey_child_execute(cctx, cctx, cctx->ev, preq, pctx, pd, passkey_op);
                 goto done;
             }
         }
@@ -2349,6 +2366,9 @@ static void pam_forwarder_cb(struct tevent_req *req)
     struct cli_ctx *cctx = preq->cctx;
     struct pam_data *pd;
     errno_t ret = EOK;
+#ifdef BUILD_PASSKEY
+    enum passkey_child_op passkey_op = PAM_PASSKEY_OP_INVALID;
+#endif
     struct pam_ctx *pctx =
             talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
 
@@ -2398,11 +2418,14 @@ static void pam_forwarder_cb(struct tevent_req *req)
     if ((pd->cmd == SSS_PAM_AUTHENTICATE)) {
         if (may_do_passkey_auth(pctx, pd)) {
             if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY_KRB) {
-                ret = passkey_kerberos(pctx, preq->pd, preq);
-                goto done;
+                passkey_op = PAM_PASSKEY_OP_KERBEROS_AUTH;
             } else if ((sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_PASSKEY) ||
                       (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_EMPTY)) {
-                ret = passkey_local(cctx, cctx->ev, pctx, preq, pd);
+                passkey_op = PAM_PASSKEY_OP_LOCAL_AUTH;
+            }
+
+            if (passkey_op == PAM_PASSKEY_OP_KERBEROS_AUTH || passkey_op == PAM_PASSKEY_OP_LOCAL_AUTH) {
+                ret = passkey_child_execute(cctx, cctx, cctx->ev, preq, pctx, pd, passkey_op);
                 goto done;
             }
         }