sssd.git/src/responder/ssh, branch ad_domain_local_groups Unnamed repository; edit this file to name it for gitweb. DP: Remove old data provider interface 2016-08-16T12:54:50+00:00 Pavel Březina pbrezina@redhat.com 2016-07-19T12:24:16+00:00 04e870d99e72aa3160bdb6ab05d986fb4005c3ed Reverse data provider interface is moved to a better location in NSS responder. All responders now can have an sbus interface defined per data provider connection. The unused old data provider interface is removed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reverse data provider interface is moved to a better location in
NSS responder. All responders now can have an sbus interface
defined per data provider connection. The unused old data provider
interface is removed.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SSH-CERT: always initialize cert_verify_opts 2016-07-07T16:13:27+00:00 Sumit Bose sbose@redhat.com 2016-06-17T11:50:55+00:00 ecd48ae244dbb6490989752fba99b58d84babfa6 Currently cert_verify_opts is only initialized when there is an option in the config file. This might cause issues later when the struct is accessed. Since parse_cert_verify_opts() can already handle an empty option the additional check is not needed at all. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Currently cert_verify_opts is only initialized when there is an option
in the config file. This might cause issues later when the struct is
accessed. Since parse_cert_verify_opts() can already handle an empty
option the additional check is not needed at all.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SSH: Use a qualified name for user searches in the SSH responder 2016-07-07T08:26:26+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-14T10:16:24+00:00 8e8dda8561e89276a891495ae84eefe2b2170193 The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com> 
The name is converted from whatever we receive on input to the internal
format before processing the data further.

Reviewed-by: Sumit Bose <sbose@redhat.com>
SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user 2016-07-01T13:28:33+00:00 Jakub Hrozek jhrozek@redhat.com 2016-04-28T08:31:45+00:00 fcbcfa69f9291936f01f24b5fcb5a7672dca46f3 If an IPA client uses the SSH integration and a local user logs in with SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH responder, which doesn't find the user and returns ENOENT. The sss_ssh_authorizedkeys reports a failure on any error, including ENOENT which produced a confusing error message in the logs. This patch adds a new error code that handles users that are not found by SSSD but exist on the system and also special cases root with the same error code. Therefore, logging in as a local user no longer prints an error message. Resolves: https://fedorahosted.org/sssd/ticket/3003 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
If an IPA client uses the SSH integration and a local user logs in with
SSH, the sss_ssh_authorizedkeys looks up their keys in the SSH
responder, which doesn't find the user and returns ENOENT. The
sss_ssh_authorizedkeys reports a failure on any error, including ENOENT
which produced a confusing error message in the logs.

This patch adds a new error code that handles users that are not found
by SSSD but exist on the system and also special cases root with the
same error code. Therefore, logging in as a local user no longer prints
an error message.

Resolves:
https://fedorahosted.org/sssd/ticket/3003

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Responders: Make the client context more generic 2016-06-29T19:46:03+00:00 Simo Sorce simo@redhat.com 2016-01-08T22:51:06+00:00 4f3a9d837a55b49448eca3c713c85a406207e523 This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This is useufl to allow reusing the responder code with other protocols.
Store protocol data and responder state data behind opaque pointers and
use tallog_get_type to check they are of the right type.

This also allows to store per responder state_ctx so that, for example,
the autofs responder does not have to carry useless variables used only
by the nss responder.

Resolves:
https://fedorahosted.org/sssd/ticket/2918

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
RESPONDER: New interface for client registration 2016-06-20T12:48:47+00:00 Pavel Březina pbrezina@redhat.com 2016-05-15T18:48:13+00:00 83a79d93035c2d75a1941f3b54426119174044a0 This is just a beginning of new responder interface to data provider and it is just to make the client registration work. It needs further improvement. The idea is to take the existing interface and make it work better with further extensions of data provider. The current interface has several disadvantages such as it is originally build only for account requests and doesn't take different set of output parameters. It also doesn't work well with integration into tevent-made responders. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
This is just a beginning of new responder interface to data provider
and it is just to make the client registration work. It needs further
improvement.

The idea is to take the existing interface and make it work better
with further extensions of data provider. The current interface has
several disadvantages such as it is originally build only for
account requests and doesn't take different set of output parameters.
It also doesn't work well with integration into tevent-made responders.

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
DP: Switch to new interface 2016-06-20T12:48:47+00:00 Pavel Březina pbrezina@redhat.com 2016-03-29T10:38:25+00:00 dea636af4d1902a081ee891f1b19ee2f8729d759 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ssh: skip invalid certificates 2016-06-16T11:34:14+00:00 Sumit Bose sbose@redhat.com 2016-06-02T16:22:03+00:00 60787fb44924e84a0c7ddfe9d5e62e64ea1edcd1 Current an invalid certificate cause the whole ssh key lookup request to abort. Since it is possible that e.g. the LDAP user entry contains certificates where the client does not have the needed CA certificates for validation we should just ignore invalid certificates. Resolves https://fedorahosted.org/sssd/ticket/2977 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Current an invalid certificate cause the whole ssh key lookup request to
abort. Since it is possible that e.g. the LDAP user entry contains
certificates where the client does not have the needed CA certificates
for validation we should just ignore invalid certificates.

Resolves https://fedorahosted.org/sssd/ticket/2977

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
p11: add no_verification option 2016-06-09T09:58:12+00:00 Sumit Bose sbose@redhat.com 2016-03-24T19:42:12+00:00 aa35995ef056aa8ae052a47c62c6750b7adf065e Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Just return NULL if tevent_req_create() fails 2016-02-11T13:39:12+00:00 Sumit Bose sbose@redhat.com 2016-02-10T14:15:41+00:00 a0c764a36f2f432e6063de84be6f6af7e96ec159 In general we just return NULL if tevent_req_create() fails because there is nothing we can do with the request anyway. Especially tevent_req_error() should not be called because it tries to dereference req. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
In general we just return NULL if tevent_req_create() fails because
there is nothing we can do with the request anyway. Especially
tevent_req_error() should not be called because it tries to dereference
req.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>