[autobackport: sssd-2-12] krb5: check for PIN locked in error message#8411
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to detect and report a 'PIN locked' error during Kerberos authentication with a smart card. The changes in src/providers/krb5/krb5_child.c add logic to parse the error message from libkrb5 when a pre-authentication failure occurs during a smartcard-based authentication attempt. If the error message indicates a locked PIN, a specific PAM message is sent to the client. The change in src/sss_client/pam_sss.c adjusts the PAM message type to PAM_ERROR_MSG for better integration with display managers like GDM. The implementation is careful about when to retrieve the error message, as it might only be available on the first call. The changes are well-commented and appear to correctly address the issue described. I have no major concerns.
To make sure GDM can display this message together with an authentication failed error message the PAM message type has to be the same. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit 4ca8bb6)
Currently the PIN locked message is only displays if the Smartcard authentication is done locally, e.g. if the system is offline. During pkinit libkrb5 does not send a dedicated error code but the error message generated by the library contains a hint. This patch checks the libkrb5 error message in case the authentication fails with the pre-authentication failed error code. This is a bit tricky because 'krb5_get_error_message()' currently only returns a defined result at the first call after a failed library call. Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> (cherry picked from commit bc3ad16)
|
The pull request was accepted by @alexey-tikhonov with the following PR CI status: 🟢 rpm-build:centos-stream-10-x86_64:upstream (success) There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging. |
sssd-bot
force-pushed
the
SSSD-sssd-backport-pr8398-to-sssd-2-12
branch
from
13306dd to
37df45f
Compare
4 participants
This is an automatic backport of PR#8398 krb5: check for PIN locked in error message to branch sssd-2-12, created by @sumit-bose.
Please make sure this backport is correct.
Note
The commits were cherry-picked without conflicts.
You can push changes to this pull request
Original commits
4ca8bb6 - pam_sss: change PAM message type for PIN locked
bc3ad16 - krb5: check for PIN locked in error message
Backported commits
Original Pull Request Body
Currently the PIN locked message is only displays if the Smartcard
authentication is done locally, e.g. if the system is offline. During
pkinit libkrb5 does not send a dedicated error code but the error message
generated by the library contains a hint.
This patch checks the libkrb5 error message in case the authentication
fails with the pre-authentication failed error code. This is a bit tricky
because 'krb5_get_error_message()' currently only returns a defined result
at the first call after a failed library call.