diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-10-15 23:41:46 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-10-16 16:08:12 +0200 |
commit | f47163162cb50d00cbad1aa7ebf9a1cf8464b826 (patch) | |
tree | dad3ce3976599a6e21ca62019bc06832aac9659c | |
parent | 16204ef5ad2b2ff60654c8c6f98958d2c70c0cbb (diff) | |
download | sssd-f47163162cb50d00cbad1aa7ebf9a1cf8464b826.tar.gz sssd-f47163162cb50d00cbad1aa7ebf9a1cf8464b826.tar.xz sssd-f47163162cb50d00cbad1aa7ebf9a1cf8464b826.zip |
SQ: Add me to previous commit
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | src/responder/pam/pamsrv.h | 12 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 95 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_reply.c | 90 |
4 files changed, 125 insertions, 74 deletions
diff --git a/Makefile.am b/Makefile.am index 1ab57c480..a9ff93b66 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1109,6 +1109,7 @@ sssd_pam_SOURCES = \ src/responder/pam/pamsrv.c \ src/responder/pam/pamsrv_cmd.c \ src/responder/pam/pamsrv_extract.c \ + src/responder/pam/pamsrv_reply.c \ src/responder/pam/pamsrv_p11.c \ src/responder/pam/pamsrv_dp.c \ src/responder/pam/pam_helpers.c \ @@ -1905,6 +1906,7 @@ pam_srv_tests_SOURCES = \ src/sss_client/pam_message.c \ src/responder/pam/pamsrv_cmd.c \ src/responder/pam/pamsrv_extract.c \ + src/responder/pam/pamsrv_reply.c \ src/responder/pam/pamsrv_p11.c \ src/responder/pam/pam_helpers.c \ src/responder/pam/pamsrv_dp.c \ diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 89d9f057d..bd9e20874 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -96,6 +96,18 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *user, bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd); +enum pam_verbosity { + PAM_VERBOSITY_NO_MESSAGES = 0, + PAM_VERBOSITY_IMPORTANT, + PAM_VERBOSITY_INFO, + PAM_VERBOSITY_DEBUG +}; + errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *pd); +/* PAM responder output API */ +errno_t pamsrv_exp_warn(struct pam_data *pd, + int pam_verbosity, + const char *pam_account_expired_message); + #endif /* __PAMSRV_H__ */ diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 2c503582b..942a966a6 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -34,13 +34,6 @@ #include "responder/common/responder_cache_req.h" #include "db/sysdb.h" -enum pam_verbosity { - PAM_VERBOSITY_NO_MESSAGES = 0, - PAM_VERBOSITY_IMPORTANT, - PAM_VERBOSITY_INFO, - PAM_VERBOSITY_DEBUG -}; - #define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT static errno_t @@ -53,55 +46,6 @@ pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain, static void pam_reply(struct pam_auth_req *preq); -static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx, - const char *user_error_message, - size_t *resp_len, - uint8_t **_resp) -{ - uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED; - size_t err_len; - uint8_t *resp; - size_t p; - - err_len = strlen(user_error_message); - *resp_len = 2 * sizeof(uint32_t) + err_len; - resp = talloc_size(mem_ctx, *resp_len); - if (resp == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); - return ENOMEM; - } - - p = 0; - SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p); - SAFEALIGN_SET_UINT32(&resp[p], err_len, &p); - safealign_memcpy(&resp[p], user_error_message, err_len, &p); - if (p != *resp_len) { - DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n"); - } - - *_resp = resp; - return EOK; -} - -static void inform_account_expired(struct pam_data* pd, - const char *pam_message) -{ - size_t msg_len; - uint8_t *msg; - errno_t ret; - - ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "pack_user_info_account_expired failed.\n"); - } else { - ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); - } - } -} - static bool is_domain_requested(struct pam_data *pd, const char *domain_name) { int i; @@ -303,7 +247,7 @@ static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, static errno_t add_warning_about_expiration(struct pam_data *pd, struct confdb_ctx *cdb) { - char* pam_account_expired_message; + char *pam_account_expired_message; int pam_verbosity; errno_t ret; @@ -316,25 +260,28 @@ static errno_t add_warning_about_expiration(struct pam_data *pd, pam_verbosity = DEFAULT_PAM_VERBOSITY; } - /* Account expiration warning is printed for sshd. If pam_verbosity - * is equal or above PAM_VERBOSITY_INFO then all services are informed - * about account expiration. - */ - if (pd->pam_status == PAM_ACCT_EXPIRED && - ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) || - pam_verbosity >= PAM_VERBOSITY_INFO)) { + if (pd->pam_status != PAM_ACCT_EXPIRED || + ((pd->service == NULL || strcasecmp(pd->service, "sshd") != 0) || + pam_verbosity < PAM_VERBOSITY_INFO)) { + return EOK; + } - ret = confdb_get_string(cdb, pd, CONFDB_PAM_CONF_ENTRY, - CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "", - &pam_account_expired_message); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, - "Failed to get expiration message: %d:[%s].\n", - ret, sss_strerror(ret)); - goto done; - } + ret = confdb_get_string(cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "", + &pam_account_expired_message); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to get expiration message: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } - inform_account_expired(pd, pam_account_expired_message); + ret = pamsrv_exp_warn(pd, pam_verbosity, pam_account_expired_message); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add password expiration warning: %d: %s\n", + ret, sss_strerror(ret)); + goto done; } ret = EOK; diff --git a/src/responder/pam/pamsrv_reply.c b/src/responder/pam/pamsrv_reply.c new file mode 100644 index 000000000..9cd1c88f2 --- /dev/null +++ b/src/responder/pam/pamsrv_reply.c @@ -0,0 +1,90 @@ +/* + SSSD + + PAM Responder + + Copyright (C) Red Hat 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/pam/pamsrv.h" +#include "responder/common/responder_packet.h" + +static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx, + const char *user_error_message, + size_t *resp_len, + uint8_t **_resp); + +errno_t pamsrv_exp_warn(struct pam_data *pd, + int pam_verbosity, + const char *exp_msg) +{ + size_t msg_len; + uint8_t *msg; + errno_t ret; + + if (pd->pam_status == PAM_ACCT_EXPIRED && + ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) || + pam_verbosity >= PAM_VERBOSITY_INFO)) { + + ret = pack_user_info_account_expired(pd, exp_msg, &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_user_info_account_expired failed.\n"); + return ret; + } else { + ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + return ret; + } + } + } + + return EOK; +} + +static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx, + const char *user_error_message, + size_t *resp_len, + uint8_t **_resp) +{ + uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED; + size_t err_len; + uint8_t *resp; + size_t p; + + err_len = strlen(user_error_message); + *resp_len = 2 * sizeof(uint32_t) + err_len; + resp = talloc_size(mem_ctx, *resp_len); + if (resp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + p = 0; + SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p); + SAFEALIGN_SET_UINT32(&resp[p], err_len, &p); + safealign_memcpy(&resp[p], user_error_message, err_len, &p); + if (p != *resp_len) { + DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n"); + } + + *_resp = resp; + return EOK; +} + |