From 560b1f31f7f49d08113f66fe8b96e5f270af1839 Mon Sep 17 00:00:00 2001 From: Linux_zhang Date: Mon, 8 Sep 2025 16:21:26 +0800 Subject: [PATCH] Fix sssd offline validation failure --- ...port-authtok-add-IS_PW_OR_ST_AUTHTOK.patch | 42 +++++++ ...ne-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch | 104 ++++++++++++++++++ sssd.spec | 7 +- 3 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch create mode 100644 backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch diff --git a/backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch b/backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch new file mode 100644 index 0000000..b79c8ff --- /dev/null +++ b/backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch @@ -0,0 +1,42 @@ +From be42436c2070e1dc9b2e5d3e03700624f4cc20bf Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 18 Jun 2025 14:30:57 +0200 +Subject: [PATCH] authtok: add IS_PW_OR_ST_AUTHTOK() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds a helper macro to determine if an authtok struct is of +type SSS_AUTHTOK_TYPE_PASSWORD or SSS_AUTHTOK_TYPE_PAM_STACKED. This is +useful if a password is expected but an authentication token forwarded +by an different PAM module, which is most probably a password, can be +used as well. + +Resolves: https://github.com/SSSD/sssd/issues/7968 + +Reviewed-by: Pavel Březina +Reviewed-by: Shridhar Gadekar +Reviewed-by: Tomáš Halman +(cherry picked from commit 297ecc467efb6035e370f62e62ffa668bb1d0050) +--- + src/util/authtok.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/util/authtok.h b/src/util/authtok.h +index b58e9dbbd..acabb7078 100644 +--- a/src/util/authtok.h ++++ b/src/util/authtok.h +@@ -28,6 +28,10 @@ + sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ + || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) + ++#define IS_PW_OR_ST_AUTHTOK(tok) ( \ ++ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PASSWORD \ ++ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_PAM_STACKED) ++ + + /* Use sss_authtok_* accessor functions instead of struct sss_auth_token + */ +-- +2.43.0 + diff --git a/backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch b/backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch new file mode 100644 index 0000000..aeee2bc --- /dev/null +++ b/backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch @@ -0,0 +1,104 @@ +From 6d3e61523698bc0ec17287de01a2dbe1a2d0acab Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 10 Jun 2025 14:22:19 +0200 +Subject: [PATCH] krb5: offline with SSS_AUTHTOK_TYPE_PAM_STACKED +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Recently a new authtok type SSS_AUTHTOK_TYPE_PAM_STACKED was added to +handle credentials forwarded by other PAM modules. Before it was +unconditionally assumed that it is a password and hence +SSS_AUTHTOK_TYPE_PASSWORD was used. + +When SSS_AUTHTOK_TYPE_PAM_STACKED was introduce the main use-cases were +already handled but currently offline use-cases fail because here only +SSS_AUTHTOK_TYPE_PASSWORD is expected. With this patch +SSS_AUTHTOK_TYPE_PAM_STACKED can be used to store or validate offline +credentials as well. + +Resolves: https://github.com/SSSD/sssd/issues/7968 + +Reviewed-by: Pavel Březina +Reviewed-by: Shridhar Gadekar +Reviewed-by: Tomáš Halman +(cherry picked from commit 3b106f1888b6430b8bab75e1c0fe0f054eafce48) +--- + src/providers/krb5/krb5_auth.c | 11 +++++++---- + src/providers/krb5/krb5_child.c | 4 ++++ + .../krb5/krb5_delayed_online_authentication.c | 2 +- + src/responder/pam/pamsrv_cmd.c | 1 + + 4 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index 07e4d807f..fb2f58869 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -366,8 +366,12 @@ static void krb5_auth_store_creds(struct sss_domain_info *domain, + domain->cache_credentials_min_ff_length); + ret = EINVAL; + } +- } else if (sss_authtok_get_type(pd->authtok) == +- SSS_AUTHTOK_TYPE_PASSWORD) { ++ } else if (IS_PW_OR_ST_AUTHTOK(pd->authtok)) { ++ /* At this point we can be sure that ++ * SSS_AUTHTOK_TYPE_PAM_STACKED is a password because ++ * krb5_auth_store_creds() is not called if 2FA/otp was used, ++ * only if SSS_AUTHTOK_TYPE_2FA was used for authentication. ++ */ + ret = sss_authtok_get_password(pd->authtok, &password, NULL); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n", +@@ -1211,8 +1215,7 @@ static void krb5_auth_done(struct tevent_req *subreq) + if (kr->is_offline) { + if (dp_opt_get_bool(kr->krb5_ctx->opts, + KRB5_STORE_PASSWORD_IF_OFFLINE) +- && sss_authtok_get_type(pd->authtok) +- == SSS_AUTHTOK_TYPE_PASSWORD) { ++ && IS_PW_OR_ST_AUTHTOK(pd->authtok)) { + krb5_auth_cache_creds(state->kr->krb5_ctx, + state->domain, + state->be_ctx->cdb, +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 5830305a0..21ec38627 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -2385,6 +2385,10 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + ++ if (kerr == EAGAIN) { ++ kerr = KRB5_KDC_UNREACH; ++ } ++ + /* Special case for IPA password migration */ + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && kerr == KRB5_PREAUTH_FAILED +diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c +index f88d8ab9b..1fac986a6 100644 +--- a/src/providers/krb5/krb5_delayed_online_authentication.c ++++ b/src/providers/krb5/krb5_delayed_online_authentication.c +@@ -258,7 +258,7 @@ errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, + return EINVAL; + } + +- if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { ++ if (!IS_PW_OR_ST_AUTHTOK(pd->authtok)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid authtok for user [%s].\n", pd->user); + return EINVAL; +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index d4cb421f4..c6a436069 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -1101,6 +1101,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, + + switch (sss_authtok_get_type(authtok)) { + case SSS_AUTHTOK_TYPE_PASSWORD: ++ case SSS_AUTHTOK_TYPE_PAM_STACKED: + ret = sss_authtok_get_password(authtok, password, NULL); + break; + case SSS_AUTHTOK_TYPE_2FA: +-- +2.43.0 + diff --git a/sssd.spec b/sssd.spec index 1d8c144..9140b93 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 2.9.7 -Release: 5 +Release: 6 Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ @@ -19,6 +19,8 @@ Patch0001: backport-Make-sure-invalid-krb5-context-is-not-used.patch Patch0002: backport-mistype-fix.patch Patch0003: backport-PAM-fix-issue-found-by-Coverity.patch Patch0004: backport-SSS_CLIENT-MC-simplify-logic-and.patch +Patch0005: backport-krb5-offline-with-SSS_AUTHTOK_TYPE_PAM_STACKED.patch +Patch0006: backport-authtok-add-IS_PW_OR_ST_AUTHTOK.patch Requires: sssd-ad = %{version}-%{release} Requires: sssd-common = %{version}-%{release} @@ -941,6 +943,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Sep 08 2025 Linux_zhang - 2.9.7-6 +- Fix sssd offline validation failure + * Tue Aug 26 2025 yixiangzhike - 2.9.7-5 - backport upstream patch to fix nss coredump -- Gitee