pam: apply SIDs from PAC to authentication indicators#8571
pam: apply SIDs from PAC to authentication indicators#8571sumit-bose wants to merge 3 commits intoSSSD:masterfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the pam_gssapi_indicators_apply configuration option, which allows SSSD to assign additional authentication indicators based on information extracted from Kerberos tickets, specifically SIDs from the PAC. The implementation involves updating the configuration schema, documentation, and the PAM responder's GSSAPI logic to handle PAC data parsing and SID-to-indicator mapping. Review feedback identifies a bug where an error code is not properly set upon memory allocation failure and suggests improving the robustness of GSSAPI attribute matching to avoid partial string matches.
| if (strncmp(AUTH_INDICATORS_TAG, attrs->elements[i].value, | ||
| sizeof(AUTH_INDICATORS_TAG) - 1) != 0) | ||
| sizeof(AUTH_INDICATORS_TAG) - 1) == 0) { |
There was a problem hiding this comment.
The check for AUTH_INDICATORS_TAG uses strncmp without checking the length of the attribute name. This could lead to a partial match if another attribute name starts with "auth-indicators". For consistency and correctness, it's better to perform an exact match, similar to how MSPAC_TAG is checked.
if (attrs->elements[i].length == sizeof(AUTH_INDICATORS_TAG) - 1 &&
strncmp(AUTH_INDICATORS_TAG, (char *)attrs->elements[i].value,
sizeof(AUTH_INDICATORS_TAG) - 1) == 0) {![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
sumit-bose
force-pushed
the
pac_ama
branch
4 times, most recently
from
6bddc35 to
99bcff1
Compare
pbrezina
left a comment
pbrezina
left a comment
There was a problem hiding this comment.
Hi, code looks good, but it deserves a release note.
To make ad_get_sids_from_pac() better reusable it is moved with its dependencies into ad_pac_common.c
This patch reads the PAC of a Kerberos ticket while evaluating the authentication indicators of the Kerberos ticket during a pam_sss_gss request. Based on the value of the pam_gssapi_indicators_apply option the found SIDs might add additional authentication indicators to the evaluation. The primary use case is to handle SIDs added by Active Directory's Authentication Mechanism Assurance (AMA). :relnote: During the processing of the pam_sss_gss request SSSD will read the SID from the PAC of the Kerberos ticket and might add authentication indicators based on the value of the new option pam_gssapi_indicators_apply. The primary use case is to handle SIDs added by Active Directory's Authentication Mechanism Assurance (AMA).
Hi, thanks for the review, added. bye, |
thalman
left a comment
thalman
left a comment
There was a problem hiding this comment.
Thanks for the work, ACK
5 participants
This patch reads the PAC of a Kerberos ticket while evaluating the
authentication indicators of the Kerberos ticket during a pam_sss_gss
request. Based on the value of the pam_gssapi_indicators_apply option
the found SIDs might add additional authentication indicators to the
evaluation.
The primary use case is to handle SIDs added by Active Directory's
Authentication Mechanism Assurance (AMA).