Skip to content

krb5: check authtok in answer_pkinit()#8470

Draft
sumit-bose wants to merge 1 commit intoSSSD:sssd-2-9from
sumit-bose:pkinit_pass_on
Draft

krb5: check authtok in answer_pkinit()#8470
sumit-bose wants to merge 1 commit intoSSSD:sssd-2-9from
sumit-bose:pkinit_pass_on

Conversation

@sumit-bose
Copy link
Copy Markdown
Contributor

@sumit-bose sumit-bose commented Feb 20, 2026

Currently the loop over the different Kerberos pre-authentication types might fail if PKINIT is detected but there are no related credentials.

With this patch the check is move inside of answer_pkinit() and the expected error code ERR_CHECK_NEXT_AUTH_TYPE is returned.

This patch is for the sssd-2-9 branch since the issue is already fixed as part of 4cb99a2 in the master branch.

@sumit-bose
krb5: check authtok in answer_pkinit()
18b844e 
Currently the loop over the different Kerberos pre-authentication types
might fail if PKINIT is detected but there are no related credentials.

With this patch the check is move inside of answer_pkinit() and the
expected error code ERR_CHECK_NEXT_AUTH_TYPE is returned.

This patch is for the sssd-2-9 branch since the issue is already fixed
as part of 4cb99a2 in the master
branch.
@sumit-bose sumit-bose marked this pull request as draft February 20, 2026 12:34
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Feb 20, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly refactors the pre-authentication logic for PKINIT by moving the authtok type check into the answer_pkinit function. This change ensures that if PKINIT is attempted without the required smart card credentials, SSSD can gracefully fall back to other authentication methods. The implementation is sound, though I've noted a minor code redundancy that results from this change, which could be cleaned up for better maintainability.

Comment thread src/providers/krb5/krb5_child.c
Comment on lines +720 to +726
type = sss_authtok_get_type(kr->pd->authtok);
if (type != SSS_AUTHTOK_TYPE_SC_PIN && type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected authentication token type [%s]\n",
sss_authtok_type_to_str(type));
kerr = ERR_CHECK_NEXT_AUTH_TYPE;
goto done;
}
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While this check is correctly moved to the beginning of the function, it introduces redundancy with a later check. The if condition at line 750 will now always evaluate to true, making the else block at line 789 unreachable. As a follow-up, you should consider removing the redundant if-else structure (lines 750-795) and placing the code from the if block directly under if (kr->pd->cmd == SSS_PAM_AUTHENTICATE).

@alexey-tikhonov alexey-tikhonov added no-backport This should go to target branch only. Bugzilla labels Feb 23, 2026
@alexey-tikhonov
Copy link
Copy Markdown
Member

alexey-tikhonov commented Apr 16, 2026

Review done using Claude Code / claude-opus-4-6

Functional Issues

No functional issues found. The PR correctly moves the authtok type check into answer_pkinit() and returns ERR_CHECK_NEXT_AUTH_TYPE on mismatch, which the caller loop at src/providers/krb5/krb5_child.c:1309-1318 handles by continuing to the next question. The added SSS_PAM_CHAUTHTOK_PRELIM / SSS_PAM_CHAUTHTOK skip at src/providers/krb5/krb5_child.c:1286-1288 prevents PKINIT from being attempted during password changes (even if the authtok type happens to be SC_PIN/SC_KEYPAD), mirroring the existing pattern for passkey at lines 1293-1297.

Nits & Non-functional Issues

1. Comment is narrower than the code it describes

At src/providers/krb5/krb5_child.c:1284-1285:

/* Skip answer_pkinit for expired password changes, e.g. user with auth types
 * passkey AND password set */

The skip applies to all CHAUTHTOK / CHAUTHTOK_PRELIM commands, not only the "passkey AND password" scenario mentioned. The comment gives one motivating example but could mislead a reader into thinking this is a narrow workaround rather than general-purpose protection.

Confirmed Issues from Existing Review Comments

gemini-code-assist[bot] correctly identified that the type check moved to src/providers/krb5/krb5_child.c:720-726 makes the identical check at lines 750-753 always true, rendering the else branch at lines 789-795 unreachable dead code. The if/else wrapper (lines 750-795) could be simplified to just its body (lines 754-788).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Bugzilla no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sumit-bose @alexey-tikhonov