diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-05-28 18:18:54 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2021-06-01 13:31:53 +0200 |
commit | 17e7561a973495992014dd102135f15eb808ae01 (patch) | |
tree | 2ee7ecb59582619e814b9662171f75374521d7ea /src/home/pam_systemd_home.c | |
parent | 7dba77a67ed334d9336b89371b0601661609d277 (diff) | |
download | systemd-17e7561a973495992014dd102135f15eb808ae01.tar.gz |
homectl: store FIDO2 up/uv/clientPin fields in user records too
This catches up homed's FIDO2 support with cryptsetup's: we'll now store
the uv/up/clientPin configuration at enrollment in the user record JSON
data, and use it when authenticating with it.
This also adds explicit "uv" support: we'll only allow it to happen when
the client explicity said it's OK. This is then used by clients to print
a nice message suggesting "uv" has to take place before retrying
allowing it this time. This is modelled after the existing handling for
"up".
Diffstat (limited to 'src/home/pam_systemd_home.c')
-rw-r--r-- | src/home/pam_systemd_home.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c index 64dc532577..6c2bcbd7d7 100644 --- a/src/home/pam_systemd_home.c +++ b/src/home/pam_systemd_home.c @@ -377,7 +377,7 @@ static int handle_generic_user_record_error( } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_PRESENCE_NEEDED)) { - (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify presence on security token of user %s.", user_name); + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please confirm presence on security token of user %s.", user_name); r = user_record_set_fido2_user_presence_permitted(secret, true); if (r < 0) { @@ -385,6 +385,16 @@ static int handle_generic_user_record_error( return PAM_SERVICE_ERR; } + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_USER_VERIFICATION_NEEDED)) { + + (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Please verify user on security token of user %s.", user_name); + + r = user_record_set_fido2_user_verification_permitted(secret, true); + if (r < 0) { + pam_syslog(handle, LOG_ERR, "Failed to set FIDO2 user verification permitted flag: %s", strerror_safe(r)); + return PAM_SERVICE_ERR; + } + } else if (sd_bus_error_has_name(error, BUS_ERROR_TOKEN_PIN_LOCKED)) { (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Security token PIN is locked, please unlock it first. (Hint: Removal and re-insertion might suffice.)"); |