c0971b7e39
- Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface
245 lines
11 KiB
Diff
245 lines
11 KiB
Diff
From d33a8bed5aad9135426c9ebdf101cf600685ab81 Mon Sep 17 00:00:00 2001
|
|
From: Sumit Bose <sbose@redhat.com>
|
|
Date: Tue, 18 Sep 2018 10:11:02 +0200
|
|
Subject: [PATCH 61/83] pam_sss: make flags public
|
|
|
|
To allow the PAM responder to act on the config flags set for pam_sss
|
|
the flags have to be made public first.
|
|
|
|
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
---
|
|
src/sss_client/pam_sss.c | 71 +++++++++++++++++++++---------------------------
|
|
src/sss_client/sss_cli.h | 9 ++++++
|
|
2 files changed, 40 insertions(+), 40 deletions(-)
|
|
|
|
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
index 59081cc..b336d1f 100644
|
|
--- a/src/sss_client/pam_sss.c
|
|
+++ b/src/sss_client/pam_sss.c
|
|
@@ -52,15 +52,6 @@
|
|
#include <libintl.h>
|
|
#define _(STRING) dgettext (PACKAGE, STRING)
|
|
|
|
-#define FLAGS_USE_FIRST_PASS (1 << 0)
|
|
-#define FLAGS_FORWARD_PASS (1 << 1)
|
|
-#define FLAGS_USE_AUTHTOK (1 << 2)
|
|
-#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
|
-#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
|
-#define FLAGS_USE_2FA (1 << 5)
|
|
-#define FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
-#define FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
-
|
|
#define PWEXP_FLAG "pam_sss:password_expired_flag"
|
|
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
|
|
#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type"
|
|
@@ -1193,13 +1184,13 @@ static int get_pam_items(pam_handle_t *pamh, uint32_t flags,
|
|
pi->pam_service_size=strlen(pi->pam_service)+1;
|
|
|
|
ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
|
|
- if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) {
|
|
+ if (ret == PAM_PERM_DENIED && (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME)) {
|
|
pi->pam_user = "";
|
|
ret = PAM_SUCCESS;
|
|
}
|
|
if (ret != PAM_SUCCESS) return ret;
|
|
if (pi->pam_user == NULL) {
|
|
- if (flags & FLAGS_ALLOW_MISSING_NAME) {
|
|
+ if (flags & PAM_CLI_FLAGS_ALLOW_MISSING_NAME) {
|
|
pi->pam_user = "";
|
|
} else {
|
|
D(("No user found, aborting."));
|
|
@@ -1959,11 +1950,11 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
|
|
for (; argc-- > 0; ++argv) {
|
|
if (strcmp(*argv, "forward_pass") == 0) {
|
|
- *flags |= FLAGS_FORWARD_PASS;
|
|
+ *flags |= PAM_CLI_FLAGS_FORWARD_PASS;
|
|
} else if (strcmp(*argv, "use_first_pass") == 0) {
|
|
- *flags |= FLAGS_USE_FIRST_PASS;
|
|
+ *flags |= PAM_CLI_FLAGS_USE_FIRST_PASS;
|
|
} else if (strcmp(*argv, "use_authtok") == 0) {
|
|
- *flags |= FLAGS_USE_AUTHTOK;
|
|
+ *flags |= PAM_CLI_FLAGS_USE_AUTHTOK;
|
|
} else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
|
|
if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
|
|
logger(pamh, LOG_ERR, "Missing argument to option domains.");
|
|
@@ -1997,15 +1988,15 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
|
|
} else if (strcmp(*argv, "quiet") == 0) {
|
|
*quiet_mode = true;
|
|
} else if (strcmp(*argv, "ignore_unknown_user") == 0) {
|
|
- *flags |= FLAGS_IGNORE_UNKNOWN_USER;
|
|
+ *flags |= PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER;
|
|
} else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
|
|
- *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
|
+ *flags |= PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL;
|
|
} else if (strcmp(*argv, "use_2fa") == 0) {
|
|
- *flags |= FLAGS_USE_2FA;
|
|
+ *flags |= PAM_CLI_FLAGS_USE_2FA;
|
|
} else if (strcmp(*argv, "allow_missing_name") == 0) {
|
|
- *flags |= FLAGS_ALLOW_MISSING_NAME;
|
|
+ *flags |= PAM_CLI_FLAGS_ALLOW_MISSING_NAME;
|
|
} else if (strcmp(*argv, "prompt_always") == 0) {
|
|
- *flags |= FLAGS_PROMPT_ALWAYS;
|
|
+ *flags |= PAM_CLI_FLAGS_PROMPT_ALWAYS;
|
|
} else {
|
|
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
|
|
}
|
|
@@ -2020,10 +2011,10 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
{
|
|
int ret;
|
|
|
|
- if ((flags & FLAGS_USE_FIRST_PASS)
|
|
+ if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
|| ( pi->pamstack_authtok != NULL
|
|
&& *(pi->pamstack_authtok) != '\0'
|
|
- && !(flags & FLAGS_PROMPT_ALWAYS))) {
|
|
+ && !(flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))) {
|
|
pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
|
pi->pam_authtok = strdup(pi->pamstack_authtok);
|
|
if (pi->pam_authtok == NULL) {
|
|
@@ -2032,7 +2023,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
}
|
|
pi->pam_authtok_size = strlen(pi->pam_authtok);
|
|
} else {
|
|
- if (flags & FLAGS_USE_2FA
|
|
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|
|
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
|
&& pi->otp_challenge != NULL)) {
|
|
if (pi->password_prompting) {
|
|
@@ -2062,7 +2053,7 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
return ret;
|
|
}
|
|
|
|
- if (flags & FLAGS_FORWARD_PASS) {
|
|
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
|
if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
|
|
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
|
|
} else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
|
|
@@ -2193,8 +2184,8 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
/* we query for the old password during PAM_PRELIM_CHECK to make
|
|
* pam_sss work e.g. with pam_cracklib */
|
|
if (pam_flags & PAM_PRELIM_CHECK) {
|
|
- if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
|
|
- if (flags & FLAGS_USE_2FA
|
|
+ if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
|
|
+ if (flags & PAM_CLI_FLAGS_USE_2FA
|
|
|| (pi->otp_vendor != NULL && pi->otp_token_id != NULL
|
|
&& pi->otp_challenge != NULL)) {
|
|
if (pi->password_prompting) {
|
|
@@ -2253,7 +2244,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
}
|
|
}
|
|
|
|
- if (flags & FLAGS_USE_AUTHTOK) {
|
|
+ if (flags & PAM_CLI_FLAGS_USE_AUTHTOK) {
|
|
pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
|
|
pi->pam_newauthtok = strdup(pi->pamstack_authtok);
|
|
if (pi->pam_newauthtok == NULL) {
|
|
@@ -2268,7 +2259,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
|
|
return ret;
|
|
}
|
|
|
|
- if (flags & FLAGS_FORWARD_PASS) {
|
|
+ if (flags & PAM_CLI_FLAGS_FORWARD_PASS) {
|
|
ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
|
|
if (ret != PAM_SUCCESS) {
|
|
D(("Failed to set PAM_AUTHTOK [%s], "
|
|
@@ -2376,10 +2367,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
ret = get_pam_items(pamh, flags, &pi);
|
|
if (ret != PAM_SUCCESS) {
|
|
D(("get items returned error: %s", pam_strerror(pamh,ret)));
|
|
- if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
|
|
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
|
|
ret = PAM_IGNORE;
|
|
}
|
|
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
&& ret == PAM_AUTHINFO_UNAVAIL) {
|
|
ret = PAM_IGNORE;
|
|
}
|
|
@@ -2393,13 +2384,13 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
case SSS_PAM_AUTHENTICATE:
|
|
/*
|
|
* Only do preauth if
|
|
- * - FLAGS_USE_FIRST_PASS is not set
|
|
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
|
|
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
|
|
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
|
|
* - preauth indicator file exists.
|
|
*/
|
|
- if ( !(flags & FLAGS_USE_FIRST_PASS)
|
|
+ if ( !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
&& (pi.pam_authtok == NULL
|
|
- || (flags & FLAGS_PROMPT_ALWAYS))
|
|
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
|
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
|
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
|
quiet_mode);
|
|
@@ -2443,14 +2434,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
* The means the preauth step has to be done here as well but
|
|
* only if
|
|
* - PAM_PRELIM_CHECK is set
|
|
- * - FLAGS_USE_FIRST_PASS is not set
|
|
- * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set
|
|
+ * - PAM_CLI_FLAGS_USE_FIRST_PASS is not set
|
|
+ * - no password is on the stack or PAM_CLI_FLAGS_PROMPT_ALWAYS is set
|
|
* - preauth indicator file exists.
|
|
*/
|
|
if ( (pam_flags & PAM_PRELIM_CHECK)
|
|
- && !(flags & FLAGS_USE_FIRST_PASS)
|
|
+ && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
|
|
&& (pi.pam_authtok == NULL
|
|
- || (flags & FLAGS_PROMPT_ALWAYS))
|
|
+ || (flags & PAM_CLI_FLAGS_PROMPT_ALWAYS))
|
|
&& access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
|
|
pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
|
|
quiet_mode);
|
|
@@ -2497,11 +2488,11 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
|
pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
|
|
|
|
- if (flags & FLAGS_IGNORE_UNKNOWN_USER
|
|
+ if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER
|
|
&& pam_status == PAM_USER_UNKNOWN) {
|
|
pam_status = PAM_IGNORE;
|
|
}
|
|
- if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
+ if (flags & PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL
|
|
&& pam_status == PAM_AUTHINFO_UNAVAIL) {
|
|
pam_status = PAM_IGNORE;
|
|
}
|
|
@@ -2581,7 +2572,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
retry = true;
|
|
retries--;
|
|
|
|
- flags &= ~FLAGS_USE_FIRST_PASS;
|
|
+ flags &= ~PAM_CLI_FLAGS_USE_FIRST_PASS;
|
|
ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
|
if (ret != PAM_SUCCESS) {
|
|
D(("Failed to unset PAM_AUTHTOK [%s]",
|
|
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
|
|
index 24d28ed..3404715 100644
|
|
--- a/src/sss_client/sss_cli.h
|
|
+++ b/src/sss_client/sss_cli.h
|
|
@@ -365,6 +365,15 @@ enum pam_item_type {
|
|
SSS_PAM_ITEM_REQUESTED_DOMAINS,
|
|
};
|
|
|
|
+#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
|
|
+#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
|
|
+#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
|
|
+#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
|
|
+#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
|
|
+#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
|
|
+#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
|
|
+#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
|
|
+
|
|
#define SSS_NSS_MAX_ENTRIES 256
|
|
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
|
|
struct sss_cli_req_data {
|
|
--
|
|
2.9.5
|
|
|