mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 23:21:22 +03:00
pam_systemd_home: prompt user for recovery key if homed asks for it
For accoutns that have no passwords but only a recovery key homed might ask explicitly for that. Honour the request and ask the user for it.
This commit is contained in:
parent
c7b6051f16
commit
edde3a35b4
@ -324,6 +324,33 @@ static int handle_generic_user_record_error(
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
} else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_RECOVERY_KEY)) {
|
||||
_cleanup_(erase_and_freep) char *newp = NULL;
|
||||
|
||||
assert(secret);
|
||||
|
||||
/* Hmm, homed asks for recovery key (because no regular password is defined maybe)? Provide it. */
|
||||
|
||||
if (strv_isempty(secret->password))
|
||||
r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Recovery key: ");
|
||||
else {
|
||||
(void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Password/recovery key incorrect or not sufficient for authentication of user %s.", user_name);
|
||||
r = pam_prompt(handle, PAM_PROMPT_ECHO_OFF, &newp, "Sorry, reenter recovery key: ");
|
||||
}
|
||||
if (r != PAM_SUCCESS)
|
||||
return PAM_CONV_ERR; /* no logging here */
|
||||
|
||||
if (isempty(newp)) {
|
||||
pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted.");
|
||||
return PAM_AUTHTOK_ERR;
|
||||
}
|
||||
|
||||
r = user_record_set_password(secret, STRV_MAKE(newp), true);
|
||||
if (r < 0) {
|
||||
pam_syslog(handle, LOG_ERR, "Failed to store recovery key: %s", strerror_safe(r));
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
|
||||
} else if (sd_bus_error_has_name(error, BUS_ERROR_BAD_PASSWORD_AND_NO_TOKEN)) {
|
||||
_cleanup_(erase_and_freep) char *newp = NULL;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user