summaryrefslogtreecommitdiffstats
path: root/src/providers/krb5
Commit message (Collapse)AuthorAgeFilesLines
* sssd: incorrect checks on length values during packet decodingMichal Židek2015-08-312-8/+8
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
* KRB5: Use sss_unique_file when creating kdcinfo filesJakub Hrozek2015-08-171-7/+9
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* KRB5: Use sss_unique file in krb5_childJakub Hrozek2015-08-171-16/+11
| | | | | | | | In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5: assume online state if KDC proxy is configuredSumit Bose2015-08-051-0/+6
| | | | | | | | | | | If a KDC proxy is configured a request in the KRB5 provider will assume online state even if the backend is offline without changing the state of the backend. Resolves https://fedorahosted.org/sssd/ticket/2700 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not create kdcinfo file if proxy configuration existsSumit Bose2015-08-051-0/+7
| | | | | | | Resolves https://fedorahosted.org/sssd/ticket/2652 Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Do not try to remove missing ccacheLukas Slebodnik2015-08-051-0/+5
| | | | | | | | | There was a misleading debug message in krb5_child [[sssd[krb5_child[16629]]]] [get_and_save_tgt] (0x0080): Failed to remove old ccache file [(null)], please remove it manually. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* krb5: do not send SSS_OTP if two factors were usedSumit Bose2015-07-291-1/+6
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2729 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Use the right domain for case-sensitive flagJakub Hrozek2015-07-221-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* KRB5: Return right data provider error codeLukas Slebodnik2015-07-151-1/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2719 Reviewed-by: Michal Židek <mzidek@redhat.com>
* KRB5: Add and use krb5_auth_queue_send to queue requests by defaultJakub Hrozek2015-07-065-48/+199
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2701 Previously, only the krb5 provides used to queue requests, which resulted in concurrent authentication requests stepping on one another. This patch queues requests by default. Reviewed-by: Sumit Bose <sbose@redhat.com>
* krb: remove duplicit decl. of write_krb5info_filePavel Reichl2015-06-051-3/+0
| | | | | | function write_krb5info_file() was declared twice in krb5_common.h Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5: new option krb5_map_userPavel Reichl2015-05-288-15/+213
| | | | | | | | | | New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: remove field run_as_userPavel Reichl2015-05-142-15/+0
| | | | | | run_as_user is set set but never read. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: try delayed online authentication only for single factor authSumit Bose2015-05-081-0/+7
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: save hash of the first authentication factor to the cacheSumit Bose2015-05-081-3/+23
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5-child: add preauth and split 2fa token supportSumit Bose2015-05-083-21/+251
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add pre-auth requestSumit Bose2015-05-081-0/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Unify prototype and definitionLukas Slebodnik2015-04-011-2/+3
| | | | | | | | | The prototype of function copy_keytab_into_memory does not match the definition. One of arguments differs in constant modifier. Patch also include header file to implementation module. If should avoid such problems in future. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* KRB5: add debug hintPavel Reichl2015-03-201-1/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-172-2/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: More debugging for create_ccache()Jakub Hrozek2015-03-101-13/+41
| | | | | | | | It was difficult to find where the problem was without advanced techniques like strace. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Open the PAC socket from krb5_child before dropping rootJakub Hrozek2015-01-211-0/+8
| | | | | | | | | | The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com>
* krb5: fix entry order in MEMORY keytabSumit Bose2015-01-191-28/+90
| | | | | | | | | | | | | | | Since krb5_kt_add_entry() adds new entries at the beginning of a MEMORY type keytab and not at the end a simple copy into a MEMORY type keytab will revert the order of the keytab entries. Since e.g. the sssd_krb5 man page give hints about where to add entries into keytab files to help SSSD to find a right entry we have to keep the order when coping a keytab into a MEMORY type keytab. This patch fixes this by doing a second copy to retain the original order. Resolves https://fedorahosted.org/sssd/ticket/2557 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-151-2/+2
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEWJakub Hrozek2015-01-141-0/+1
| | | | | | Previously, we were only handling KRB5KRB_AP_ERR_SKEW Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-131-4/+4
| | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
* krb5: handle KRB5KRB_ERR_GENERIC as unspecific errorSumit Bose2014-12-171-1/+12
| | | | | | | | | | | KRB5KRB_ERR_GENERIC is a generic error and we cannot make any assumptions about the cause. If there are cases where KRB5KRB_ERR_GENERIC is returned and SSSD should behave differently this must be solved by other means. Resolves https://fedorahosted.org/sssd/ticket/2535 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: Initialize REALM earlierLukas Slebodnik2014-12-171-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Environment variable SSSD_KRB5_REALM was used to late for initialisation realm. and therefore default value NULL was used. The SSSD_KRB5_REALM (kr->realm) was used as fast_principal_realm for checking fast cache: privileged_krb5_setup -> k5c_setup_fast -> check_fast_ccache And therefore wrong principal was used when the option krb5_fast_principal is empty. [find_principal_in_keytab] (0x4000): Trying to find principal (null)@(null) in keytab. [match_principal] (0x1000): Principal matched to the sample ((null)@(null)). [get_tgt_times] (0x1000): FAST ccache must be recreated [get_tgt_times] (0x0020): krb5_cc_retrieve_cred failed [get_tgt_times] (0x0020): 1688: [-1765328243][Matching credential not found] [check_fast_ccache] (0x0040): Valid FAST TGT not found after attempting to renew it [k5c_setup_fast] (0x0020): check_fast_ccache failed. [k5c_setup_fast] (0x0020): 1956: [1432158213][Unknown code UUz 5] [privileged_krb5_setup] (0x0040): Cannot set up FAST [main] (0x0020): privileged_krb5_setup failed. [main] (0x0020): krb5_child failed! As a result of this user was not able to authenticate. Resolves: https://fedorahosted.org/sssd/ticket/2526 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Skip CHAUTHTOK_PRELIM when using OTPsJakub Hrozek2014-12-131-3/+35
| | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2484 When OTPs are used, we can only used each authtoken at most once. When it comes to Kerberos password changes, this was only working previously by accident, because the old authtoken was first used to verify the old password is valid and not expired and then also to acquire a chpass principal. This patch looks at the user object in LDAP to check if the user has any OTPs enabled. If he does, the CHAUTHTOK_PRELIM step is skipped completely so that the OTP can be used to acquire the chpass ticket later. Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Check FAST kinit errors using get_tgt_times()Jakub Hrozek2014-12-111-13/+15
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: add wrapper for krb5_kt_have_content()Sumit Bose2014-12-071-1/+1
| | | | | | | | | krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Relax DEBUG messageJakub Hrozek2014-12-031-2/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-031-1/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* KRB5: Create the fast ccache in a child processJakub Hrozek2014-12-032-28/+100
| | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 In order to avoid calling Kerberos library calls as root, the krb5_child forks itself and recreates the FAST ccache as the SSSD user. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-031-1/+2
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* krb5_child: become user earlierSumit Bose2014-12-021-38/+93
| | | | | | | The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_keytab_into_memory()Sumit Bose2014-12-022-0/+196
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_ccache_into_memory()Sumit Bose2014-12-022-0/+127
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not fail if checking the old ccache failedSumit Bose2014-12-021-2/+5
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: make krb5 provider view awareSumit Bose2014-12-021-6/+12
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: Check return value of sss_krb5_princ_realmLukas Slebodnik2014-11-282-0/+13
| | | | | | | | | | sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-185-244/+267
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move checking for illegal RE to krb5_utils.cJakub Hrozek2014-11-185-48/+42
| | | | | | | | | | | | Otherwise we would have to link krb5_child with pcre and transfer the regex, which would be cumbersome. Check for illegal patterns when expanding the template instead. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-189-709/+783
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Drop privileges in the child, not the back endJakub Hrozek2014-11-182-21/+56
| | | | | | | | | | | | | | | | | | In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: Remove authtok from PAM stack with OTPLukas Slebodnik2014-11-071-0/+14
| | | | | | | | | | | We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
* UTIL: Remove more code duplication setting up child processesJakub Hrozek2014-11-051-16/+8
| | | | | | | | All our child processes duplicated the same code that set up the debugging all around. Instead of adding yet another copy for the selinux_child, add a common utility function. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Remove code duplication of struct ioJakub Hrozek2014-11-051-36/+2
| | | | | | | | We had struct io and the associated destructor copied twice in the code already and need it again in the SELinux provider. Instead of adding another copy, move the code to a shared subtree under util/ Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Move become_user outside krb5 treeJakub Hrozek2014-10-102-207/+0
| | | | | | | | In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix debug messages - trailing '.'Pavel Reichl2014-09-291-1/+1
| | | | | | Fix debug messages where '\n' was wrongly followed by '.'. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-07 09:56:50 +0000