Add pre-auth request

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

6 files changed, 17 insertions, 0 deletions

diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index a48a42878..a37fbbc8d 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -1374,6 +1374,7 @@ static int be_pam_handler(struct sbus_request *dbus_req, void *user_data)
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
+        case SSS_PAM_PREAUTH:
             target = BET_AUTH;
             break;
         case SSS_PAM_ACCT_MGMT:
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index 313948b36..8724bf936 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -43,6 +43,8 @@ static const char *pamcmd2str(int cmd) {
         return "PAM_CHAUTHTOK";
     case SSS_PAM_CHAUTHTOK_PRELIM:
         return "PAM_CHAUTHTOK_PRELIM";
+    case SSS_PAM_PREAUTH:
+        return "SSS_PAM_PREAUTH";
     default:
         return "UNKNOWN";
     }
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 223448338..79e891b77 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -208,6 +208,7 @@ void ipa_auth(struct be_req *be_req)
 
     switch (state->pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
+        case SSS_PAM_PREAUTH:
             state->ipa_auth_ctx = talloc_get_type(
                                     be_ctx->bet_info[BET_AUTH].pvt_bet_data,
                                     struct ipa_auth_ctx);
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 25caf7b78..5ce45b157 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -441,6 +441,8 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
                 goto done;
             }
             break;
+        case SSS_PAM_PREAUTH:
+            break;
         default:
             DEBUG(SSSDBG_CONF_SETTINGS, "Unexpected pam task %d.\n", pd->cmd);
             state->pam_status = PAM_SYSTEM_ERR;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index dd6574db7..eeaa42ce7 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1455,6 +1455,12 @@ static int pam_cmd_chauthtok_prelim(struct cli_ctx *cctx) {
     return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK_PRELIM);
 }
 
+static int pam_cmd_preauth(struct cli_ctx *cctx)
+{
+    DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_preauth\n");
+    return pam_forwarder(cctx, SSS_PAM_PREAUTH);
+}
+
 struct cli_protocol_version *register_cli_protocol_version(void)
 {
     static struct cli_protocol_version pam_cli_protocol_version[] = {
@@ -1478,6 +1484,7 @@ struct sss_cmd_table *get_pam_cmds(void)
         {SSS_PAM_CLOSE_SESSION, pam_cmd_close_session},
         {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok},
         {SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim},
+        {SSS_PAM_PREAUTH, pam_cmd_preauth},
         {SSS_CLI_NULL, NULL}
     };
 
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 9a19d7d47..2895659b9 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -220,6 +220,10 @@ enum sss_cli_command {
     SSS_CMD_RENEW            = 0x00F8, /**< Renew a credential with a limited
                                         * lifetime, e.g. a Kerberos Ticket
                                         * Granting Ticket (TGT) */
+    SSS_PAM_PREAUTH          = 0x00F9, /**< Request which can be run before
+                                        * an authentication request to find
+                                        * out which authentication methods
+                                        * are available for the given user. */
 
 /* PAC responder calls */
     SSS_PAC_ADD_PAC_USER     = 0x0101,