Skip to content

krb5: check authtok in answer_pkinit()#8470

Draft
sumit-bose wants to merge 1 commit intoSSSD:sssd-2-9from
sumit-bose:pkinit_pass_on
Draft

krb5: check authtok in answer_pkinit()#8470
sumit-bose wants to merge 1 commit intoSSSD:sssd-2-9from
sumit-bose:pkinit_pass_on

Conversation

@sumit-bose
Copy link
Contributor

@sumit-bose sumit-bose commented Feb 20, 2026

Currently the loop over the different Kerberos pre-authentication types might fail if PKINIT is detected but there are no related credentials.

With this patch the check is move inside of answer_pkinit() and the expected error code ERR_CHECK_NEXT_AUTH_TYPE is returned.

This patch is for the sssd-2-9 branch since the issue is already fixed as part of 4cb99a2 in the master branch.

@sumit-bose
krb5: check authtok in answer_pkinit()
18b844e 
Currently the loop over the different Kerberos pre-authentication types
might fail if PKINIT is detected but there are no related credentials.

With this patch the check is move inside of answer_pkinit() and the
expected error code ERR_CHECK_NEXT_AUTH_TYPE is returned.

This patch is for the sssd-2-9 branch since the issue is already fixed
as part of 4cb99a2 in the master
branch.
@sumit-bose sumit-bose marked this pull request as draft February 20, 2026 12:34
gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 20, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly refactors the pre-authentication logic for PKINIT by moving the authtok type check into the answer_pkinit function. This change ensures that if PKINIT is attempted without the required smart card credentials, SSSD can gracefully fall back to other authentication methods. The implementation is sound, though I've noted a minor code redundancy that results from this change, which could be cleaned up for better maintainability.

src/providers/krb5/krb5_child.c
Comment on lines +720 to +726
type = sss_authtok_get_type(kr->pd->authtok);
if (type != SSS_AUTHTOK_TYPE_SC_PIN && type != SSS_AUTHTOK_TYPE_SC_KEYPAD) {
DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected authentication token type [%s]\n",
sss_authtok_type_to_str(type));
kerr = ERR_CHECK_NEXT_AUTH_TYPE;
goto done;
}
Copy link

@gemini-code-assist gemini-code-assist bot Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While this check is correctly moved to the beginning of the function, it introduces redundancy with a later check. The if condition at line 750 will now always evaluate to true, making the else block at line 789 unreachable. As a follow-up, you should consider removing the redundant if-else structure (lines 750-795) and placing the code from the if block directly under if (kr->pd->cmd == SSS_PAM_AUTHENTICATE).

@alexey-tikhonov alexey-tikhonov added no-backport This should go to target branch only. Bugzilla labels Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Bugzilla no-backport This should go to target branch only.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sumit-bose @alexey-tikhonov