From 725b65081d19da658b16338686c53dcf16d49de0 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Oct 10 2018 21:06:26 +0000 Subject: PAM: add p11_uri option Related to https://pagure.io/SSSD/sssd/issue/3814 Reviewed-by: Jakub Hrozek --- diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 87904c2..741d4bc 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -133,6 +133,7 @@ #define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout" #define CONFDB_PAM_APP_SERVICES "pam_app_services" #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services" +#define CONFDB_PAM_P11_URI "p11_uri" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 4d1dba2..a20157c 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -105,6 +105,7 @@ option_strings = { 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), 'pam_p11_allowed_services' : _('Allowed services for using smartcards'), 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'), + 'p11_uri' : _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 50a8f1d..09a52df 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -128,6 +128,7 @@ option = p11_child_timeout option = pam_app_services option = pam_p11_allowed_services option = p11_wait_for_card_timeout +option = p11_uri [rule/allowed_sudo_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index bb686c3..c6d6690 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -77,6 +77,7 @@ p11_child_timeout = int, None, false pam_app_services = str, None, false pam_p11_allowed_services = str, None, false p11_wait_for_card_timeout = int, None, false +p11_uri = str, None, false [sudo] # sudo service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 4df0163..c8d53f0 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1478,6 +1478,39 @@ pam_p11_allowed_services = +my_pam_service, -login + + p11_uri (string) + + + PKCS#11 URI (see RFC-7512 for details) which can be + used to restrict the selection of devices used for + Smartcard authentication. By default SSSD's + p11_child will search for a PKCS#11 slot (reader) + where the 'removable' flags is set and read the + certificates from the inserted token from the first + slot found. If multiple readers are connected + p11_uri can be use to tell p11_child to use a + specific reader. + + + Example: + +p11_uri = slot-description=My%20Smartcar%20Reader + + or + +p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2 + + To find suitable URI please check the debug output + of p11_child. As an alternative the GnuTLS utility + 'p11tool' with e.g. the '--list-all' will show + PKCS#11 URIs as well. + + + Default: none + + + diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 5d87756..60aa979 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -103,6 +103,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, time_t timeout, const char *verify_opts, struct sss_certmap_ctx *sss_certmap_ctx, + const char *uri, struct pam_data *pd); errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, struct cert_auth_info **cert_list); diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 6e37f83..a22afd2 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1306,6 +1306,7 @@ static errno_t check_cert(TALLOC_CTX *mctx, char *cert_verification_opts; errno_t ret; struct tevent_req *req; + char *uri = NULL; ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, CONFDB_PAM_P11_CHILD_TIMEOUT, @@ -1342,10 +1343,19 @@ static errno_t check_cert(TALLOC_CTX *mctx, return ret; } + ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_P11_URI, NULL, &uri); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read certificate_verification from confdb: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd, pctx->nss_db, p11_child_timeout, cert_verification_opts, pctx->sss_certmap_ctx, - pd); + uri, pd); if (req == NULL) { DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n"); return ENOMEM; diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c index 8b8859d..491bd2b 100644 --- a/src/responder/pam/pamsrv_p11.c +++ b/src/responder/pam/pamsrv_p11.c @@ -711,6 +711,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, time_t timeout, const char *verify_opts, struct sss_certmap_ctx *sss_certmap_ctx, + const char *uri, struct pam_data *pd) { errno_t ret; @@ -721,7 +722,7 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, struct timeval tv; int pipefd_to_child[2] = PIPE_INIT; int pipefd_from_child[2] = PIPE_INIT; - const char *extra_args[14] = { NULL }; + const char *extra_args[16] = { NULL }; uint8_t *write_buf = NULL; size_t write_buf_len = 0; size_t arg_c; @@ -748,6 +749,12 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, /* extra_args are added in revers order */ arg_c = 0; + if (uri != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri); + extra_args[arg_c++] = uri; + extra_args[arg_c++] = "--uri"; + } + if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) { extra_args[arg_c++] = "--wait_for_card"; }