pam: apply SIDs from PAC to authentication indicators#8571
pam: apply SIDs from PAC to authentication indicators#8571sumit-bose wants to merge 3 commits intoSSSD:masterfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the pam_gssapi_indicators_apply configuration option, which allows SSSD to assign additional authentication indicators based on information extracted from Kerberos tickets, specifically SIDs from the PAC. The implementation involves updating the configuration schema, documentation, and the PAM responder's GSSAPI logic to handle PAC data parsing and SID-to-indicator mapping. Review feedback identifies a bug where an error code is not properly set upon memory allocation failure and suggests improving the robustness of GSSAPI attribute matching to avoid partial string matches.
| if (exported == NULL) { | ||
| DEBUG(SSSDBG_CRIT_FAILURE, | ||
| "Unable to pre-allocate indicators\n"); | ||
| goto done; | ||
| } |
There was a problem hiding this comment.
If talloc_strdup fails, ret is not updated to reflect the error. It will retain its value from the previous call to ad_get_sids_from_pac. This can lead to the error being masked. You should set ret = ENOMEM; before jumping to done.
if (exported == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Unable to pre-allocate indicators\n");
ret = ENOMEM;
goto done;
}| if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value, | ||
| sizeof(AUTH_INDICATORS_TAG) - 1) != 0) | ||
| sizeof(AUTH_INDICATORS_TAG) - 1) == 0) { |
There was a problem hiding this comment.
The check for AUTH_INDICATORS_TAG uses strncmp without checking the length of the attribute name. This could lead to a partial match if another attribute name starts with "auth-indicators". For consistency and correctness, it's better to perform an exact match, similar to how MSPAC_TAG is checked.
if (attrs->elements[i].length == sizeof(AUTH_INDICATORS_TAG) - 1 &&
strncmp(AUTH_INDICATORS_TAG, (char *)attrs->elements[i].value,
sizeof(AUTH_INDICATORS_TAG) - 1) == 0) {![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| struct samr_RidWithAttributeArray groups; | ||
| }; | ||
|
|
||
| errno_t ad_get_sids_from_pac(TALLOC_CTX *mem_ctx, |
Check warning
Code scanning / CodeQL
Poorly documented large function Warning
To make ad_get_sids_from_pac() better reusable it is moved with its dependencies into ad_pac_common.c
sumit-bose
force-pushed
the
pac_ama
branch
2 times, most recently
from
7869c3e to
6b4d62b
Compare
This patch reads the PAC of a Kerberos ticket while evaluating the authentication indicators of the Kerberos ticket during a pam_sss_gss request. Based on the value of the pam_gssapi_indicators_apply option the found SIDs might add additional authentication indicators to the evaluation. The primary use case is to handle SIDs added by Active Directory's Authentication Mechanism Assurance (AMA).
2 participants
This patch reads the PAC of a Kerberos ticket while evaluating the
authentication indicators of the Kerberos ticket during a pam_sss_gss
request. Based on the value of the pam_gssapi_indicators_apply option
the found SIDs might add additional authentication indicators to the
evaluation.
The primary use case is to handle SIDs added by Active Directory's
Authentication Mechanism Assurance (AMA).