Passwordless-gdm for sssd-2-9 #8267
Open
+4,350
−261
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the passwordless-gdm feature, which is a significant enhancement. The changes involve a major refactoring of the authentication handling in krb5_child.c to better support multiple authentication methods, and the introduction of a new JSON-based protocol for authentication selection with GDM. The refactoring is well-structured and improves maintainability by separating the request and answer phases of authentication. The new JSON handling logic is implemented in pamsrv_json.c.
My review found a couple of critical issues in the new code that could lead to crashes. One is a classic C bug with a shadowed loop variable, and the other is a potential NULL pointer dereference when handling JSON data. I've provided specific comments and suggestions for fixes.
Overall, this is a great feature addition. Once the identified issues are addressed, this PR should be in good shape.
Member
|
JFTR: I think so massive change and big RFE isn't a best fit for LTM branch... |
justin-stephenson
approved these changes
Dec 5, 2025
Member
|
This needs to incorporate #8296 |
ikerexxe
force-pushed
the
passwordless-gdm-2-9
branch
from
34c110d to
befff69
Compare
Contributor
Author
|
I rebased on top of sssd-2-9 and included the changes from #8296 in this PR |
Contributor
|
Hi, so far my tests went well, I opened freeipa/freeipa#8075 to get some broader testing. bye, |
Contributor
Ah, looks like I have to create a Fedora-43 build as well. |
This API gets the selected response type data from the response_data linked list. Includes unit tests. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Ray Strode <halfline@redhat.com>
Integration with GDM requests two prompts for EIdP so adding them to prompt_config structure. In addition, implement all the functions needed to manipulate the structure for these new prompts. Finally, add unit-tests for the new functions. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Return `prompt_config` structure in `pam_eval_prompting_config` to tune the prompts from the SSSD config in the GUI. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Implement a set of functions to check the available authentication mechanisms and their associated data, and generate a JSON message with it. This JSON formatted message will be consumed by apps that provide GUI login (i.e. GDM). Currently, the implementation only takes into account password and OAUTH2 mechanisms. Include unit tests to check the implemented functions. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Implement a set of functions to unpack the JSON reply from the GUI. Include unit tests to check the implemented functions. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Implement a function to check whether the PAM service file in use is enabled for the JSON procotol. This helps us filter which applications are compatible with this protocol. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This new option is used to enable the JSON protocol in the PAM responder
based on the PAM service file in use.
:config: A new option `pam_json_services` is now available to enable
JSON protocol to communicate the available authentication
mechanisms.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Call JSON message generation function and fill the data structure containing the response_data linked list. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Forward the available authentication mechanisms and their associated data message to the GUI login using a PAM conversation. Then, obtain the reply and forward it to the responder, so that it can parse it. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Ray Strode <halfline@redhat.com>
Parse GUI reply and set the appropriate data in `sss_auth_token` structure. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Include JSON message where applies. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
It returns NULL on error, but this wasn't checked. Fixes: ceeffa9 ("Responder: generate JSON message for GUI") Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Integration with GDM requests two prompts for smartcard so modifying the prompt_config structure. In addition, implement all the functions needed to manipulate the structure for these new prompts. Finally, add unit-tests for the new functions. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This API gets all the elements with the selected response type data from the response_data linked list. Includes unit tests. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Implement a set of functions to retrieve the smartcard data and generate the JSON message with it. Implement new unit test and adapt the existing ones to take into account the new data. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Parse GUI reply for smartcard and set the appropriate data in `sss_auth_token` structure. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Several of the functions in `pamsrv_json` had lots of arguments and I'm about to add more for the passkey authentication mechanism. Reduce these arguments by creating a structure that will contain all these data. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Include the certificate data in the JSON messages to set it in the authtok structure more easily. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Include the certificate data in the JSON message to set it in the authtok structure more easily. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This is needed by `pamsrv_json.c`, so let's make it public. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Implement a set of functions to retrieve the passkey data and generate the JSON message with it. Implement new unit test and adapt the existing ones to take into account the new data. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
`sss_authtok_set_local_passkey_pin` provides a way to set the passkey PIN in the authtok structure for local passkey authentication. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Parse GUI reply for passkey and set the appropriate data in `sss_auth_token` structure. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
During the `preauthentication` phase krb5_child checks for the available authentication methods for the given user, advertises them and the process is kept alive. Once the state is change to `authentication` the same krb5_child process processes the credentials and proceeds with the authentication itself. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
defaults The `pam_p11_allowed_services` option now includes `gdm-switchable-auth` as one of the default allowed PAM services for smartcard authentication. The service was added alongside the other GDM-related services (gdm-smartcard and gdm-password) for logical grouping. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
When a user's password expires after successful JSON authentication, the fallback to traditional password change fails. Add PAM_CLI_FLAGS_CHAUTHTOK_PREAUTH flag to distinguish password change preauth from normal authentication preauth. When this flag is set, the PAM responder skips JSON message generation and returns traditional preauth data instead. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Use `pam_get_auth_types()` to detect the available mechanisms for a user. Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Add a note to clarify that 2FA isn't supported in JSON protocol and fix
man page compilation for `pam_json_services` option.
:feature: Unified passwordless login in the GUI. SSSD now supports a
rich authentication selection interface. Users can login with
smartcards, passkey, External IdPs and passwords directly
within the graphical user interface.
:packaging: SSSD now supports authentication mechanism selection through
PAM using a JSON-based protocol. This feature enables
passwordless authentication mechanisms in GUI login
environments that support the protocol.
Feature will be supported by GNOME Display Manager (GDM)
starting with GNOME 50. While currently optimized for GNOME,
the JSON protocol design allows for future support in other
display managers.
authselect is the recommended approach and will handle the
necessary PAM stack modifications automatically starting
with version 1.7 through the new option `with-switch-auth`
which provides a new PAM service called `switchable-auth`.
Manual PAM configuration is also possible.
For more technical details and implementation specifications,
see the design documentation:
SSSD/sssd.io#79
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Port the pre-authentication retry logic from the IPA provider to the krb5 provider, making it available to all krb5-based authentication flows. Relates: 6c1272e ("krb5: Add fallback password change support") Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
The `tokeninfo_matches()` function already handles PAM stacked tokens correctly by processing them through the 2FA single path, so the `answer_otp()` function should allow this token type to proceed. Add SSS_AUTHTOK_TYPE_PAM_STACKED to the allowed authentication token types in `answer_otp()` to restore previous functionality. Fixes: 4cb99a2 ("krb5_child: advertise authentication methods"). Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit df15165)
ikerexxe
force-pushed
the
passwordless-gdm-2-9
branch
from
befff69 to
9c8d54f
Compare
Contributor
Author
|
Rebased on top of sssd-2-9 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the implementation for the so called passwordless-gdm feature. The design page for this feature is available at SSSD/sssd.io#79.
The original patch set was reviewed at #8212 by Justin and Sumit. I've had done some minor modifications to those patches:
As a reminder you can use https://copr.fedorainfracloud.org/coprs/ipedrosa/passwordles-gdm/ for testing and update authselect, mutter, gdm and gnome-shell packages. As for sssd, I'd use the build provided in this PR since it will contain the exact bits that will be shipped in RHEL.
authselect brings a new feature called
with-switchable-auththat you should enable to use this feature. In addition, you should add the following configuration to sssd.conf:Known limitations: