From 2dd8891d51dde6871099a268371bac156ddd560c Mon Sep 17 00:00:00 2001 From: Firstyear Date: Thu, 21 Nov 2024 17:43:14 +1000 Subject: [PATCH] Harden transport in pam unixd (#3227) In some cases if the transport drops out from underneath unixd, it can be difficult to diagnose and leads to inconsistent errors and output such as prompting for a password multiple times when it can't succeed. This makes it clearer that the transport had an error, and it denies the inflight authsession to prevent spurious password prompts. --- unix_integration/resolver/src/idprovider/kanidm.rs | 2 +- unix_integration/resolver/src/resolver.rs | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/unix_integration/resolver/src/idprovider/kanidm.rs b/unix_integration/resolver/src/idprovider/kanidm.rs index 63cedb4d5..b72fd289b 100644 --- a/unix_integration/resolver/src/idprovider/kanidm.rs +++ b/unix_integration/resolver/src/idprovider/kanidm.rs @@ -458,7 +458,7 @@ impl IdProvider for KanidmProvider { Ok(AuthResult::Denied) } Err(ClientError::Transport(err)) => { - error!(?err); + error!(?err, "A client transport error occured."); Err(IdpError::Transport) } Err(ClientError::Http(StatusCode::UNAUTHORIZED, reason, opid)) => { diff --git a/unix_integration/resolver/src/resolver.rs b/unix_integration/resolver/src/resolver.rs index 00eea4661..7bc12edbd 100644 --- a/unix_integration/resolver/src/resolver.rs +++ b/unix_integration/resolver/src/resolver.rs @@ -1069,8 +1069,17 @@ impl Resolver { Ok(PamAuthResponse::Denied) } Ok(AuthResult::Next(req)) => Ok(req.into()), - Err(IdpError::NotFound) => Ok(PamAuthResponse::Unknown), - _ => Err(()), + Err(IdpError::NotFound) => { + *auth_session = AuthSession::Denied; + + Ok(PamAuthResponse::Unknown) + } + Err(err) => { + *auth_session = AuthSession::Denied; + + error!(?err, "Unable to proceed, failing the session"); + Err(()) + } } }