pam_sss: prefer Smartcard authentication

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>
SSSD · Mar 21, 2024 · 0d5e8f1 · 0d5e8f1
1 parent e26cc69
commit 0d5e8f1
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
@@ -2544,17 +2544,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
         } else if (pi->pc != NULL) {
             ret = prompt_by_config(pamh, pi);
         } else {
-            if (flags & PAM_CLI_FLAGS_USE_2FA
-                    || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
-                            && pi->otp_challenge != NULL)) {
-                if (pi->password_prompting) {
-                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                                     _("Second Factor (optional): "));
-                } else {
-                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
-                                     _("Second Factor: "));
-                }
-            } else if (pi->cert_list != NULL) {
+            if (pi->cert_list != NULL) {
                 if (pi->cert_list->next == NULL) {
                     /* Only one certificate */
                     pi->selected_cert = pi->cert_list;
@@ -2570,6 +2560,16 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                     || (pi->flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH)) {
                /* Use pin prompt as fallback for gdm-smartcard */
                 ret = prompt_sc_pin(pamh, pi);
+            } else if (flags & PAM_CLI_FLAGS_USE_2FA
+                    || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
+                            && pi->otp_challenge != NULL)) {
+                if (pi->password_prompting) {
+                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                     _("Second Factor (optional): "));
+                } else {
+                    ret = prompt_2fa(pamh, pi, _("First Factor: "),
+                                     _("Second Factor: "));
+                }
             } else if (pi->passkey_prompt_pin) {
                 ret = prompt_passkey(pamh, pi,
                                      _("Insert your passkey device, then press ENTER."),