Passwordless-gdm

Makefile.am

@@ -318,6 +318,8 @@ if HAVE_CMOCKA
         test_sssd_krb5_locator_plugin \
         test_confdb \
         test_krb5_idp_plugin \
+        test_sss_pam_data \
+        test_pamsrv_json \
         $(NULL)
 
 
@@ -745,6 +747,7 @@ dist_noinst_HEADERS = \
     src/responder/common/cache_req/cache_req_private.h \
     src/responder/pam/pamsrv.h \
     src/responder/pam/pam_helpers.h \
+    src/responder/pam/pamsrv_json.h \
     src/responder/pam/pamsrv_passkey.h \
     src/responder/nss/nss_private.h \
     src/responder/nss/nss_protocol.h \
@@ -1513,6 +1516,7 @@ endif
 sssd_pam_SOURCES = \
     src/responder/pam/pamsrv.c \
     src/responder/pam/pamsrv_cmd.c \
+    src/responder/pam/pamsrv_json.c \
     src/responder/pam/pamsrv_p11.c \
     src/responder/pam/pamsrv_dp.c \
     src/responder/pam/pamsrv_gssapi.c \
@@ -1534,6 +1538,7 @@ sssd_pam_LDADD = \
     $(SELINUX_LIBS) \
     $(PAM_LIBS) \
     $(GSSAPI_KRB5_LIBS) \
+    $(JANSSON_LIBS) \
     libsss_certmap.la \
     $(SSSD_INTERNAL_LTLIBS) \
     libsss_iface.la \
@@ -2561,6 +2566,7 @@ pam_srv_tests_SOURCES = \
     src/tests/cmocka/common_utils.c \
     src/sss_client/pam_message.c \
     src/responder/pam/pamsrv_cmd.c \
+    src/responder/pam/pamsrv_json.c \
     src/responder/pam/pamsrv_p11.c \
     src/responder/pam/pamsrv_gssapi.c \
     src/responder/pam/pam_helpers.c \
@@ -2589,6 +2595,7 @@ pam_srv_tests_LDADD = \
     $(SSSD_LIBS) \
     $(SSSD_INTERNAL_LTLIBS) \
     $(GSSAPI_KRB5_LIBS) \
+    $(JANSSON_LIBS) \
     libsss_test_common.la \
     libsss_idmap.la \
     libsss_certmap.la \
@@ -2599,6 +2606,60 @@ if BUILD_PASSKEY
      pam_srv_tests_SOURCES += src/responder/pam/pamsrv_passkey.c
 endif # BUILD_PASSKEY
 
+test_pamsrv_json_SOURCES = \
+    $(TEST_MOCK_RESP_OBJ) \
+    src/responder/pam/pamsrv_cmd.c \
+    src/responder/pam/pamsrv_json.c \
+    src/responder/pam/pamsrv_p11.c \
+    src/responder/pam/pamsrv_gssapi.c \
+    src/responder/pam/pam_helpers.c \
+    src/responder/pam/pamsrv_dp.c \
+    src/responder/pam/pam_prompting_config.c \
+    src/sss_client/pam_sss_prompt_config.c \
+    src/tests/cmocka/test_pamsrv_json.c \
+    $(NULL)
+if BUILD_PASSKEY
+    test_pamsrv_json_SOURCES += src/responder/pam/pamsrv_passkey.c
+endif # BUILD_PASSKEY
+test_pamsrv_json_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(NULL)
+test_pamsrv_json_LDFLAGS = \
+    -Wl,-wrap,json_array_append_new \
+    $(NULL)
+test_pamsrv_json_LDADD = \
+    $(LIBADD_DL) \
+    $(CMOCKA_LIBS) \
+    $(PAM_LIBS) \
+    $(SSSD_LIBS) \
+    $(SSSD_INTERNAL_LTLIBS) \
+    $(JANSSON_LIBS) \
+    $(GSSAPI_KRB5_LIBS) \
+    $(TALLOC_LIBS) \
+    libsss_test_common.la \
+    libsss_idmap.la \
+    libsss_certmap.la \
+    libsss_iface.la \
+    libsss_sbus.la \
+    $(NULL)
+
+test_sss_pam_data_SOURCES = \
+    src/util/sss_pam_data.c \
+    src/tests/cmocka/test_sss_pam_data.c \
+    $(NULL)
+test_sss_pam_data_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(NULL)
+test_sss_pam_data_LDFLAGS = \
+    $(NULL)
+test_sss_pam_data_LDADD = \
+    $(CMOCKA_LIBS) \
+    $(SSSD_LIBS) \
+    $(SSSD_INTERNAL_LTLIBS) \
+    $(TALLOC_LIBS) \
+    libsss_test_common.la \
+    $(NULL)
+
 EXTRA_ssh_srv_tests_DEPENDENCIES = \
     $(ldblib_LTLIBRARIES) \
     $(NULL)

src/confdb/confdb.h

@@ -150,6 +150,7 @@
 #define CONFDB_PAM_PASSKEY_AUTH "pam_passkey_auth"
 #define CONFDB_PAM_PASSKEY_CHILD_TIMEOUT "passkey_child_timeout"
 #define CONFDB_PAM_PASSKEY_DEBUG_LIBFIDO2 "passkey_debug_libfido2"
+#define CONFDB_PAM_JSON_SERVICES "pam_json_services"
 
 /* SUDO */
 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"

src/config/SSSDConfig/sssdoptions.py

@@ -113,6 +113,7 @@ def __init__(self):
         'pam_passkey_auth': _('Allow passkey device authentication.'),
         'passkey_child_timeout': _('How many seconds will pam_sss wait for passkey_child to finish'),
         'passkey_debug_libfido2': _('Enable debugging in the libfido2 library'),
+        'pam_json_services': _('Enable JSON protocol for authentication methods selection.'),
 
         # [sudo]
         'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),

src/config/cfg_rules.ini

@@ -141,6 +141,7 @@ option = pam_gssapi_indicators_map
 option = pam_passkey_auth
 option = passkey_child_timeout
 option = passkey_debug_libfido2
+option = pam_json_services
 
 [rule/allowed_sudo_options]
 validator = ini_allowed_options

src/config/etc/sssd.api.conf

@@ -86,6 +86,7 @@ pam_gssapi_indicators_map = str, None, false
 pam_passkey_auth = bool, None, false
 passkey_child_timeout = int, None, false
 passkey_debug_libfido2 = bool, None, false
+pam_json_services = str, None, false
 
 [sudo]
 # sudo service

src/external/pam.m4

@@ -39,3 +39,10 @@ AC_SUBST(GDM_PAM_EXTENSIONS_CFLAGS)
 AS_IF([test x"$found_gdm_pam_extensions" = xyes],
       [AC_DEFINE_UNQUOTED(HAVE_GDM_PAM_EXTENSIONS, 1,
                           [Build with gdm-pam-extensions support])])
+
+AS_IF([test x"$found_gdm_pam_extensions" = xyes],
+      [AC_CHECK_HEADER([gdm/gdm-custom-json-pam-extension.h],
+                       [AC_DEFINE_UNQUOTED(HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION, 1,
+                            [Build with gdm-custom-json-pam-extension support])])])
+AM_CONDITIONAL([HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION],
+               [test x"$found_gdm_pam_extensions" = xyes])

src/man/Makefile.am

@@ -61,9 +61,12 @@ endif
 if BUILD_ID_PROVIDER_IDP
 IDP_CONDS = ;with_idp_provider
 endif
+if HAVE_GDM_CUSTOM_JSON_PAM_EXTENSION
+JSON_PAM_CONDS = ;build_json_pam
+endif
 
 
-CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(SUBID_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(LIBNL_CONDS)$(IDP_CONDS)
+CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(GPO_CONDS)$(SYSTEMD_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(KCM_RENEWAL_CONDS)$(LOCKFREE_CLIENT_CONDS)$(HAVE_INOTIFY_CONDS)$(SUBID_CONDS)$(PASSKEY_CONDS)$(SSSD_NON_ROOT_USER_CONDS)$(LIBNL_CONDS)$(IDP_CONDS)$(JSON_PAM_CONDS)
 
 
 #Special Rules:

src/man/sssd.conf.5.xml

@@ -1749,6 +1749,11 @@ pam_p11_allowed_services = +my_pam_service, -login
                                         gdm-password
                                     </para>
                                 </listitem>
+                                <listitem>
+                                    <para>
+                                        gdm-switchable-auth
+                                    </para>
+                                </listitem>
                                 <listitem>
                                     <para>
                                         kdm
@@ -1973,6 +1978,34 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry condition="build_json_pam">
+                    <term>pam_json_services (string)</term>
+                    <listitem>
+                        <para>
+                            Comma separated list of PAM services which can
+                            handle the JSON protocol for selecting
+                            authentication mechanisms
+                        </para>
+                        <para>
+                            To disable JSON protocol, set this option
+                            to <quote>-</quote> (dash).
+                        </para>
+                        <para>
+                            Example:
+                            <programlisting>
+pam_json_services = gdm-switchable-auth
+                            </programlisting>
+                        </para>
+                        <para>
+                            Default: - (JSON protocol is disabled)
+                        </para>
+                        <para>
+                           Note: 2-Factor Authentication (2FA) is not
+                           supported. If 2FA is required, do not
+                           activate the JSON protocol.
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
 

src/providers/krb5/krb5_auth.c

@@ -1282,10 +1282,14 @@ int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err)
 }
 
 struct krb5_pam_handler_state {
+    struct tevent_context *ev;
+    struct be_ctx *be_ctx;
     struct pam_data *pd;
+    struct krb5_ctx *krb5_ctx;
 };
 
 static void krb5_pam_handler_auth_done(struct tevent_req *subreq);
+static void krb5_pam_handler_auth_retry_done(struct tevent_req *subreq);
 static void krb5_pam_handler_access_done(struct tevent_req *subreq);
 
 struct tevent_req *
@@ -1305,7 +1309,10 @@ krb5_pam_handler_send(TALLOC_CTX *mem_ctx,
         return NULL;
     }
 
+    state->ev = params->ev;
+    state->be_ctx = params->be_ctx;
     state->pd = pd;
+    state->krb5_ctx = krb5_ctx;
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
@@ -1372,6 +1379,49 @@ static void krb5_pam_handler_auth_done(struct tevent_req *subreq)
         state->pd->pam_status = PAM_SYSTEM_ERR;
     }
 
+    if (state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM
+        && state->pd->pam_status == PAM_TRY_AGAIN) {
+        /* Reset this to fork a new krb5_child in handle_child_send() */
+        state->pd->child_pid = 0;
+        subreq = krb5_auth_queue_send(state, state->ev, state->be_ctx, state->pd,
+                                      state->krb5_ctx);
+        if (subreq == NULL) {
+            goto done;
+        }
+
+        tevent_req_set_callback(subreq, krb5_pam_handler_auth_retry_done, req);
+        return;
+    }
+
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+     * password migration would make sense. From this point on it isn't
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+     */
+    if (state->pd->pam_status == PAM_CRED_ERR) {
+        state->pd->pam_status = PAM_AUTH_ERR;
+    }
+
+done:
+    /* TODO For backward compatibility we always return EOK to DP now. */
+    tevent_req_done(req);
+}
+
+static void krb5_pam_handler_auth_retry_done(struct tevent_req *subreq)
+{
+    struct krb5_pam_handler_state *state;
+    struct tevent_req *req;
+    errno_t ret;
+
+    req = tevent_req_callback_data(subreq, struct tevent_req);
+    state = tevent_req_data(req, struct krb5_pam_handler_state);
+
+    ret = krb5_auth_queue_recv(subreq, &state->pd->pam_status, NULL);
+    talloc_free(subreq);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv request failed.\n");
+        state->pd->pam_status = PAM_SYSTEM_ERR;
+    }
+
     /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
      * password migration would make sense. From this point on it isn't
      * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.