summaryrefslogtreecommitdiffstats
path: root/src/sss_client/pam_sss.c
Commit message (Collapse)AuthorAgeFilesLines
* PAM: Remove authtok from PAM stack with OTPLukas Slebodnik2014-11-071-1/+15
| | | | | | | | | | | We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
* PAM: Add domains= option to pam_sssDaniel Gollub2014-09-291-2/+27
| | | | | | | | | | | | | | Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: Test right variable after calling sss_atomic_read_sLukas Slebodnik2014-07-091-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add ignore_authinfo_unavail optionLukas Slebodnik2014-06-031-0/+11
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Define compatible macros for some functions.Lukas Slebodnik2014-06-031-2/+2
| | | | | | | | Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam. This patch conditionally define macros for these function if they are not available. Compatible macros use standard functions vsyslog, getlogin Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Include header file security/pam_appl.hLukas Slebodnik2014-06-031-0/+1
| | | | | | | | | | | | | | | | | | | We need this file for declaration of pam functions pam_get_item, pam_putenv, pam_set_data, pam_strerror, pam_set_item There is already test in configure script for this header file, but it was not included in pam_sss.c sh-4.2$ git grep pam_appl.h src/external/pam.m4:AC_CHECK_HEADERS([security/pam_appl.h ... src/providers/data_provider_be.c:#include <security/pam_appl.h> src/providers/proxy/proxy.h:#include <security/pam_appl.h> src/providers/proxy/proxy_child.c:#include <security/pam_appl.h> src/responder/pam/pamsrv.h:#include <security/pam_appl.h> src/sss_client/pam_test_client.c:#include <security/pam_appl.h> src/util/auth_utils.h:#include <security/pam_appl.h> Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: macro PAM_DATA_REPLACE isn't available in openpam.Lukas Slebodnik2014-05-181-0/+2
| | | | | | | This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663 "PAM: close socket fd with pam_set_data" Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Do not attempt to get a TGT after a password change using OTPJakub Hrozek2014-03-261-0/+19
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* PAM: add ignore_unknown_user optionPete Fritchman2014-03-141-0/+11
| | | | | | https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Test return value of strdupLukas Slebodnik2014-03-071-0/+4
| | | | | | | | | Warnings reported by Coverity (12463,12464) Dereferencing a pointer that might be null pi->pam_authtok when calling strlen. Dereferencing a pointer that might be null action when calling strncmp. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* CLIENT: Remove unused macrosLukas Slebodnik2014-01-241-5/+0
| | | | | PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD I cannot find in git history where these macro were used.
* sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate.Michal Zidek2013-12-031-1/+1
| | | | | resolves: https://fedorahosted.org/sssd/ticket/1359
* sss_client: Use SAFEALIGN_SETMEM_<type> macros where appropriate.Michal Zidek2013-11-151-6/+3
| | | | https://fedorahosted.org/sssd/ticket/1359
* PAM: fix handling the client fd in pam destructorJakub Hrozek2012-10-121-9/+2
| | | | | * Protect the fd with a mutex when closing * Set it to a safe value after closing
* PAM: close socket fd with pam_set_dataJakub Hrozek2012-10-111-0/+25
| | | | https://fedorahosted.org/sssd/ticket/1569
* Write SELinux config files in responder instead of PAM moduleJan Zeleny2012-07-271-95/+0
|
* Move SELinux processing from session to account PAM stackJan Zeleny2012-07-271-55/+55
| | | | | | | | | | | | | | The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
* SSS_CLIENT: Fix uninitialized value errorStephen Gallagher2012-06-151-1/+1
| | | | | This would cause a crash if we jump to the done: label before it has been allocated.
* Provide "service filter" for SELinux contextJan Zeleny2012-06-141-0/+20
| | | | | | | At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
* Always use positional arguments in translatable stringsStephen Gallagher2012-05-221-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1336
* PAM_SSS: report error code if write failsJakub Hrozek2012-05-021-2/+2
| | | | | clang had reported this as "value of ret is never used", I think it would be nice to report a meaningful error message.
* Convert read and write operations to sss_atomic_readJakub Hrozek2012-04-201-25/+25
| | | | https://fedorahosted.org/sssd/ticket/1209
* pam_sss: improve error handling in SELinux codeJakub Hrozek2012-04-181-3/+5
|
* pam_sss: keep selinux optionalSimo Sorce2012-02-231-0/+6
| | | | Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* Fix missing NULL check after mallocStephen Gallagher2012-02-131-0/+4
| | | | Coverity #12528
* SELinux support in PAM moduleJan Zeleny2012-02-061-1/+60
|
* Fixed incorrect return code in PAM clientJan Zeleny2011-12-081-1/+1
| | | | | | | The original return code when SSSD was not running was system_err, now it is authinfo_unavail. https://fedorahosted.org/sssd/ticket/1011
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-8/+2
|
* Added quiet option to pam_sssPavel Březina2011-09-201-5/+25
| | | | https://fedorahosted.org/sssd/ticket/894
* Import config.h earlierStephen Gallagher2011-05-231-1/+1
| | | | | | On RHEL 5 and other older platforms, failing to set _GNU_SOURCE early would cause some functions - such as strndup() - to be unavailable.
* Set _GNU_SOURCE globallySumit Bose2011-05-231-4/+0
|
* Use neutral name for functions used by both pam and nssSimo Sorce2011-02-111-1/+1
|
* Fix wrong test in pam_sssSimo Sorce2010-12-171-1/+1
|
* Fix segfault for PAM_TEXT_INFO conversationsStephen Gallagher2010-12-161-1/+1
|
* Fix possible memory leak in do_pam_conversationSumit Bose2010-12-151-16/+28
| | | | https://fedorahosted.org/sssd/ticket/731
* Fix improper bit manipulation in pam_sssSumit Bose2010-12-141-1/+1
| | | | https://fedorahosted.org/sssd/ticket/715
* Fix cast warning for pam_sss.cStephen Gallagher2010-11-151-8/+11
|
* Avoid long long in messages to PAM client use int64_tSumit Bose2010-11-151-6/+6
|
* Properly handle read() and write() throughout the SSSDStephen Gallagher2010-06-101-1/+1
| | | | | | | We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.
* Add a missing free()Sumit Bose2010-06-091-0/+1
|
* Avoid a potential double-freeSumit Bose2010-06-091-0/+1
|
* Handle Krb5 password expiration warningSumit Bose2010-05-261-1/+13
|
* Add retry option to pam_sssSumit Bose2010-05-071-92/+147
|
* Improve the offline authentication messageJakub Hrozek2010-05-071-2/+2
|
* Fix wrong return valueSumit Bose2010-04-301-15/+14
| | | | | If there was a failure during a password change a wrong return value was send back to the PAM stack.
* Display a message if a password reset by root failsSumit Bose2010-04-261-8/+198
|
* Unset authentication tokens if password change failsSumit Bose2010-04-261-27/+52
|
* Use SO_PEERCRED on the PAM socketSumit Bose2010-04-161-1/+4
| | | | | | | | | | | | | | | | | This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs
* Allow arbitrary-length PAM messagesStephen Gallagher2010-03-251-3/+20
| | | | | | | | | The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
* Improvements for LDAP Password Policy supportRalf Haferkamp2010-03-221-0/+82
| | | | | | | | Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
generated by cgit (git 2.34.1) at 2024-05-21 13:34:57 +0000