1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 23:21:22 +03:00

pam_systemd_home: prompt user for recovery key if homed asks for it

For accoutns that have no passwords but only a recovery key homed might
ask explicitly for that. Honour the request and ask the user for it.
This commit is contained in:
Lennart Poettering 2021-11-17 17:45:21 +01:00
parent c7b6051f16
commit edde3a35b4

View File

@ -324,6 +324,33 @@ static int handle_generic_user_record_error(
return PAM_SERVICE_ERR;
}
} else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_RECOVERY_KEY)) {
_cleanup_(erase_and_freep) char *newp = NULL;
assert(secret);
/* Hmm, homed asks for recovery key (because no regular password is defined maybe)? Provide it. */
if (strv_isempty(secret->password))
r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Recovery key: ");
else {
(void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Password/recovery key incorrect or not sufficient for authentication of user %s.", user_name);
r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, reenter recovery key: ");
}
if (r != PAM_SUCCESS)
return PAM_CONV_ERR; /* no logging here */
if (isempty(newp)) {
pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted.");
return PAM_AUTHTOK_ERR;
}
r = user_record_set_password(secret, STRV_MAKE(newp), true);
if (r < 0) {
pam_syslog(handle, LOG_ERR, "Failed to store recovery key: %s", strerror_safe(r));
return PAM_SERVICE_ERR;
}
} else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
_cleanup_(erase_and_freep) char *newp = NULL;