summaryrefslogtreecommitdiffstats
path: root/src/sss_client/pam_sss.c
Commit message (Collapse)AuthorAgeFilesLines
* PAM/KRB5: optional otp and password promptingSumit Bose2016-07-071-2/+12
| | | | | | | | | | Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: add pam_sss option allow_missing_nameSumit Bose2016-06-091-4/+37
| | | | | | | | | With this option SSSD can be used with the gdm Smartcard feature. Resolves: https://fedorahosted.org/sssd/ticket/2941 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam_sss: reorder pam_message arraySumit Bose2016-03-141-22/+14
| | | | | | | | | | | There are different expectations about how the pam_message array is organized, details can be found in the pam_conv man page. E.g. sudo was not able to handle the Linux-PAM style but expected the Solaris PAM style. With this patch both styles should work as expected. Resolves https://fedorahosted.org/sssd/ticket/2971 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Function 2string for enum sss_cli_commandPetr Cech2015-08-311-3/+3
| | | | | | | | | | | | Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* pam_sss: add sc supportSumit Bose2015-07-311-1/+93
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pam_sss: move message encoding into separate fileSumit Bose2015-05-081-176/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* pam_sss: add pre-auth and 2fa supportSumit Bose2015-05-081-2/+233
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* utils: add sss_authtok_[gs]et_2faSumit Bose2015-05-081-0/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* pam_client: fix casting to const pointerLukas Slebodnik2015-03-261-7/+8
| | | | | | | | | | src/sss_client/pam_sss.c:1461:73: error: cast from 'int **' to 'const void **' must have all intermediate pointers const qualified to be safe [-Werror,-Wcast-qual] pam_get_data(pamh, "pam_sss:password_expired_flag", (const void **) &exp_data); ^ Reviewed-by: Sumit Bose <sbose@redhat.com>
* Remove useless assignment to function parameterLukas Slebodnik2015-03-021-1/+0
| | | | | | | | | | | | | Reported by: cppcheck void free_fun(struct info *info) free(info->name); free(info); info = NULL; ^^^^^^^^^^^ Assignment to function parameter has no effect outside the function. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: new option pam_account_expired_messagePavel Reichl2015-02-231-1/+1
| | | | | | | | | | This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: do not reject abruptlyPavel Reichl2015-02-231-1/+63
| | | | | | | | | If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Missing argument to domains= should fail authJakub Hrozek2014-12-131-0/+6
| | | | | | | | | | When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: Remove authtok from PAM stack with OTPLukas Slebodnik2014-11-071-1/+15
| | | | | | | | | | | We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>
* PAM: Add domains= option to pam_sssDaniel Gollub2014-09-291-2/+27
| | | | | | | | | | | | | | Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* PAM: Test right variable after calling sss_atomic_read_sLukas Slebodnik2014-07-091-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: add ignore_authinfo_unavail optionLukas Slebodnik2014-06-031-0/+11
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Define compatible macros for some functions.Lukas Slebodnik2014-06-031-2/+2
| | | | | | | | Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam. This patch conditionally define macros for these function if they are not available. Compatible macros use standard functions vsyslog, getlogin Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Include header file security/pam_appl.hLukas Slebodnik2014-06-031-0/+1
| | | | | | | | | | | | | | | | | | | We need this file for declaration of pam functions pam_get_item, pam_putenv, pam_set_data, pam_strerror, pam_set_item There is already test in configure script for this header file, but it was not included in pam_sss.c sh-4.2$ git grep pam_appl.h src/external/pam.m4:AC_CHECK_HEADERS([security/pam_appl.h ... src/providers/data_provider_be.c:#include <security/pam_appl.h> src/providers/proxy/proxy.h:#include <security/pam_appl.h> src/providers/proxy/proxy_child.c:#include <security/pam_appl.h> src/responder/pam/pamsrv.h:#include <security/pam_appl.h> src/sss_client/pam_test_client.c:#include <security/pam_appl.h> src/util/auth_utils.h:#include <security/pam_appl.h> Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: macro PAM_DATA_REPLACE isn't available in openpam.Lukas Slebodnik2014-05-181-0/+2
| | | | | | | This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663 "PAM: close socket fd with pam_set_data" Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Do not attempt to get a TGT after a password change using OTPJakub Hrozek2014-03-261-0/+19
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* PAM: add ignore_unknown_user optionPete Fritchman2014-03-141-0/+11
| | | | | | https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAM: Test return value of strdupLukas Slebodnik2014-03-071-0/+4
| | | | | | | | | Warnings reported by Coverity (12463,12464) Dereferencing a pointer that might be null pi->pam_authtok when calling strlen. Dereferencing a pointer that might be null action when calling strncmp. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* CLIENT: Remove unused macrosLukas Slebodnik2014-01-241-5/+0
| | | | | PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD I cannot find in git history where these macro were used.
* sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate.Michal Zidek2013-12-031-1/+1
| | | | | resolves: https://fedorahosted.org/sssd/ticket/1359
* sss_client: Use SAFEALIGN_SETMEM_<type> macros where appropriate.Michal Zidek2013-11-151-6/+3
| | | | https://fedorahosted.org/sssd/ticket/1359
* PAM: fix handling the client fd in pam destructorJakub Hrozek2012-10-121-9/+2
| | | | | * Protect the fd with a mutex when closing * Set it to a safe value after closing
* PAM: close socket fd with pam_set_dataJakub Hrozek2012-10-111-0/+25
| | | | https://fedorahosted.org/sssd/ticket/1569
* Write SELinux config files in responder instead of PAM moduleJan Zeleny2012-07-271-95/+0
|
* Move SELinux processing from session to account PAM stackJan Zeleny2012-07-271-55/+55
| | | | | | | | | | | | | | The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
* SSS_CLIENT: Fix uninitialized value errorStephen Gallagher2012-06-151-1/+1
| | | | | This would cause a crash if we jump to the done: label before it has been allocated.
* Provide "service filter" for SELinux contextJan Zeleny2012-06-141-0/+20
| | | | | | | At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
* Always use positional arguments in translatable stringsStephen Gallagher2012-05-221-2/+2
| | | | https://fedorahosted.org/sssd/ticket/1336
* PAM_SSS: report error code if write failsJakub Hrozek2012-05-021-2/+2
| | | | | clang had reported this as "value of ret is never used", I think it would be nice to report a meaningful error message.
* Convert read and write operations to sss_atomic_readJakub Hrozek2012-04-201-25/+25
| | | | https://fedorahosted.org/sssd/ticket/1209
* pam_sss: improve error handling in SELinux codeJakub Hrozek2012-04-181-3/+5
|
* pam_sss: keep selinux optionalSimo Sorce2012-02-231-0/+6
| | | | Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
* Fix missing NULL check after mallocStephen Gallagher2012-02-131-0/+4
| | | | Coverity #12528
* SELinux support in PAM moduleJan Zeleny2012-02-061-1/+60
|
* Fixed incorrect return code in PAM clientJan Zeleny2011-12-081-1/+1
| | | | | | | The original return code when SSSD was not running was system_err, now it is authinfo_unavail. https://fedorahosted.org/sssd/ticket/1011
* Cleanup: Remove unused parametersJakub Hrozek2011-11-221-8/+2
|
* Added quiet option to pam_sssPavel Březina2011-09-201-5/+25
| | | | https://fedorahosted.org/sssd/ticket/894
* Import config.h earlierStephen Gallagher2011-05-231-1/+1
| | | | | | On RHEL 5 and other older platforms, failing to set _GNU_SOURCE early would cause some functions - such as strndup() - to be unavailable.
* Set _GNU_SOURCE globallySumit Bose2011-05-231-4/+0
|
* Use neutral name for functions used by both pam and nssSimo Sorce2011-02-111-1/+1
|
* Fix wrong test in pam_sssSimo Sorce2010-12-171-1/+1
|
* Fix segfault for PAM_TEXT_INFO conversationsStephen Gallagher2010-12-161-1/+1
|
* Fix possible memory leak in do_pam_conversationSumit Bose2010-12-151-16/+28
| | | | https://fedorahosted.org/sssd/ticket/731
* Fix improper bit manipulation in pam_sssSumit Bose2010-12-141-1/+1
| | | | https://fedorahosted.org/sssd/ticket/715
* Fix cast warning for pam_sss.cStephen Gallagher2010-11-151-8/+11
|
generated by cgit (git 2.34.1) at 2024-05-29 09:16:30 +0000