PAM: add certificate's label to the selection prompt Some types of Smartcards contain multiple certificate with the same subject-DN for different usages. To make it easier to choose between them in case the matching rules allow more than one of them for authentication the label assigned to the certificate on the Smartcard is shown in the selection prompt as well. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

pam: filter certificates in the responder not in the child With the new selection option and the handling of multiple certificates in the PAM responder it is not needed anymore to filter the certificates in p11_child but the matching rules can be applied by the PAM responder directly. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

PAM: handled multiple certs in the responder This patch refactors the handling of the certificate and the attributes to address the certificate on the Smartcard (module name, token name and key id). Instead of using individual variables the values are put into a new struct cert_auth_info. Since the new struct can be used as a list the PAM responder can now handle multiple certificates on the Smartcard and can send the needed data to pam_sss with multiple SSS_PAM_CERT_INFO messages. Unit tests are added to confirm the expected behavior. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

p11_child: return multiple certs This patch refactors the handling of certificates in p11_child. Not only the first but all certificates suitable for authentication are returned. The PAM responder component calling p11_child is refactored to handle multiple certificate returned by p11_child but so far only returns the first one to its callers. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

add_pam_cert_response: add support for SSS_PAM_CERT_INFO_WITH_HINT Related to https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: Add application services Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: allow muliple users mapped to a certificate Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Use cache_req to perform initgroups lookups PAM responder has been already taking advantage of the cache_req interface, so this patch is just replacing some code that performs initgroups lookups by using cache_req to do so. Resolves: https://fedorahosted.org/sssd/ticket/1126 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: return name of PKCS#11 module and key id to pam_sss Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: forward Smartcard credentials to backends Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: store user object in the preq context Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add a test for filter_responses() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from pam_ctx This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Add UT for cached 'online' auth. Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: authenticate agains cache Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Move is_uid_trusted from pam_ctx to preq Keeping a per-request flag in a global structure is really dangerous. Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: new options pam_trusted_users & pam_public_domains pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: remove ldb_result member from pam_auth_req context This member was used only in a single call where a local variable suits better.

Allocate PAM DP request data on responder context https://fedorahosted.org/sssd/ticket/1869 Currently the private data passed to the PAM request is a structure allocated on the client context. But in the odd case where the back end would be stopped or stuck until the idle timeout hits, the DP callback would access data that were freed when the client timed out. This patch introduces a new structure allocated on responder context, whose only purpose is to live as long as the request is active.

PAM: make initgroups timeout work across multiple clients Instead of timing out the initgroups lookup on a per-cctx basis, we will maintain a hash table of recently-seen users and use this instead. This will allow SSSD to handle user's logging into multiple services simultaneously more graciously, as well as playing nicer with SSH (which makes calls to PAM both before and after a fork). https://fedorahosted.org/sssd/ticket/1063

Update the ID cache for any PAM request Also adds an option to limit how often we check the ID provider, so that conversations with multiple PAM requests won't update the cache multiple times. https://fedorahosted.org/sssd/ticket/749

Honor filter_users in PAM

Remove dead code from the PAM responder

sysdb: convert sysdb_getpwnam

Rename server/ directory to src/ Also update BUILD.txt