| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
We remove the password from the PAM stack when OTP is used to make sure
that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore
and have to request a password on their own.
Resolves:
https://fedorahosted.org/sssd/ticket/2287
Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design document:
https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM
Fixes:
https://fedorahosted.org/sssd/ticket/1021
Signed-off-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
| |
Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam.
This patch conditionally define macros for these function if they are not
available. Compatible macros use standard functions vsyslog, getlogin
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need this file for declaration of pam functions
pam_get_item, pam_putenv, pam_set_data, pam_strerror, pam_set_item
There is already test in configure script for this header file,
but it was not included in pam_sss.c
sh-4.2$ git grep pam_appl.h
src/external/pam.m4:AC_CHECK_HEADERS([security/pam_appl.h ...
src/providers/data_provider_be.c:#include <security/pam_appl.h>
src/providers/proxy/proxy.h:#include <security/pam_appl.h>
src/providers/proxy/proxy_child.c:#include <security/pam_appl.h>
src/responder/pam/pamsrv.h:#include <security/pam_appl.h>
src/sss_client/pam_test_client.c:#include <security/pam_appl.h>
src/util/auth_utils.h:#include <security/pam_appl.h>
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
|
|
|
|
| |
This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663
"PAM: close socket fd with pam_set_data"
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Warnings reported by Coverity (12463,12464)
Dereferencing a pointer that might be null pi->pam_authtok when calling strlen.
Dereferencing a pointer that might be null action when calling strncmp.
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
|
| |
PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD
I cannot find in git history where these macro were used.
|
|
|
|
|
| |
resolves:
https://fedorahosted.org/sssd/ticket/1359
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1359
|
|
|
|
|
| |
* Protect the fd with a mutex when closing
* Set it to a safe value after closing
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1569
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
|
|
|
| |
This would cause a crash if we jump to the done: label before it
has been allocated.
|
|
|
|
|
|
|
| |
At this moment we will support only asterisk, designating "all
services".
https://fedorahosted.org/sssd/ticket/1360
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1336
|
|
|
|
|
| |
clang had reported this as "value of ret is never used", I think it
would be nice to report a meaningful error message.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1209
|
| |
|
|
|
|
| |
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
|
|
|
|
| |
Coverity #12528
|
| |
|
|
|
|
|
|
|
| |
The original return code when SSSD was not running was system_err, now
it is authinfo_unavail.
https://fedorahosted.org/sssd/ticket/1011
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/894
|
|
|
|
|
|
| |
On RHEL 5 and other older platforms, failing to set _GNU_SOURCE
early would cause some functions - such as strndup() - to be
unavailable.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/731
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/715
|
| |
|
| |
|
|
|
|
|
|
|
| |
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
If there was a failure during a password change a wrong return value was
send back to the PAM stack.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs
|
|
|
|
|
|
|
|
|
| |
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
|
|
|
|
|
|
| |
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|