pam_sss: password change with two factor authentication If two factor authentication is enforced both authentication factors are needed to update or change the long term password. This means that during the PAM chauthok operation it has to be determined if two factor authentication is enable for the user and the user must be prompted accordingly. Typically in the first step of the chauthok operation (PAM_PRELIM_CHECK) the current password is verified before asking the user for a new password. With two factor authentication this has to be skipped because the one-time factor would then be invalid to authenticate the actual password change. Related to https://pagure.io/SSSD/sssd/issue/3585 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam: add prompt string for certificate authentication A new certificate attribute is added which contains a string which is used in the certificate selection list displayed to the user. The Subject-DN of the certificate is used here because it is present in all certificate and in general differs for certificate with different usage. libsss_certmap is used to extract the subject-DN from the certificate and convert it into a string. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

pam_sss: refactoring, use struct cert_auth_info Similar as in the PAM responder this patch replaces the individual certificate authentication related attributes by a struct which can be used as a list. With the pam_sss can handle multiple SSS_PAM_CERT_INFO message and place the data in individual list items. If multiple certificates are returned before prompting for the PIN a dialog to select a certificate is shown to the users. If available a GDM PAM extension is used to let the user choose from a list. All coded needed at runtime to check if the extension is available and handle the data is provided by GDM as macros. This means that there are no additional run-time requirements. Related to https://pagure.io/SSSD/sssd/issue/3560 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Tested-by: Scott Poore <spoore@redhat.com>

pam_sss: Fix leaking of memory in case of failures Found by coverity. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam_sss: Fix checking of empty string cert_user src/sss_client/pam_sss.c: In function ‘eval_response’: src/sss_client/pam_sss.c:998:64: error: comparison between pointer and zero character constant [-Werror=pointer-compare] if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') { ^~ src/sss_client/pam_sss.c:998:50: note: did you mean to dereference the pointer? if (type == SSS_PAM_CERT_INFO && pi->cert_user == '\0') { ^ src/sss_client/pam_sss.c:1010:42: error: comparison between pointer and zero character constant [-Werror=pointer-compare] && pi->cert_user != '\0') { ^~ src/sss_client/pam_sss.c:1010:28: note: did you mean to dereference the pointer? && pi->cert_user != '\0') { Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam_sss: add support for SSS_PAM_CERT_INFO_WITH_HINT The new response type SSS_PAM_CERT_INFO_WITH_HINT is equivalent to SSS_PAM_CERT_INFO but tells pam_sss to prompt for an option user name as well. Resolves: https://pagure.io/SSSD/sssd/issue/3395 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

pam: use authtok from PAM stack if available With this patch the behavior of pam_sss is slightly changed to be more similar to the behavior of other PAM modules. Currently pam_sss expects that there is a authtok (password) on the PAM stack if the 'use_first_pass' option was used. Without the option pam_sss unconditionally prompts for credentials. With this patch pam_sss will use an authtok from the PAM stack even if 'use_first_pass' is not set but it will assume that it is a password. To return to the previous behavior the new 'prompt_always' can be used. Resolves: https://pagure.io/SSSD/sssd/issue/2984 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam: enhance Smartcard authentication token Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: return name of PKCS#11 module and key id to pam_sss Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: fix memory leak in pam_sss Since there can be multiple rounds trips between the PAM client and SSSD it might be possible that the same data is send multiple times by SSSD. So before overriding the old data it should be freed. I've seen this with the domain name which is send both in the pre-auth and the auth responses. To be on the safe side I added free() for some other items as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam_sss: check conversation callback With this patch pam_sss checks if a conversation callback is available before using it. Resolves https://fedorahosted.org/sssd/ticket/3296 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam_sss: Suppress warning format-truncation src/sss_client/pam_sss.c: In function ‘send_and_receive’: src/sss_client/pam_sss.c:742:39: error: ‘%.*s’ directive output between 0 and 18446744073709551615 bytes may cause result to exceed ‘INT_MAX’ [-Werror=format-truncation=] ret = snprintf(user_msg, bufsize, "%s%s%.*s", ^~~~~~~~~~ sssd/src/sss_client/pam_sss.c:742:39: note: assuming directive output of 4294967295 bytes Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

PAM: call free only when memory is expected to be allocated Reborted by Coverity Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: check PKCS11_LOGIN_TOKEN_NAME Check if PKCS11_LOGIN_TOKEN_NAME is set and prompt the user if the matching Smartcard is not inserted. Related to https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM/KRB5: optional otp and password prompting Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add pam_sss option allow_missing_name With this option SSSD can be used with the gdm Smartcard feature. Resolves: https://fedorahosted.org/sssd/ticket/2941 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam_sss: reorder pam_message array There are different expectations about how the pam_message array is organized, details can be found in the pam_conv man page. E.g. sudo was not able to handle the Linux-PAM style but expected the Solaris PAM style. With this patch both styles should work as expected. Resolves https://fedorahosted.org/sssd/ticket/2971 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: add sc support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam_sss: move message encoding into separate file Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: add pre-auth and 2fa support Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

utils: add sss_authtok_[gs]et_2fa Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_client: fix casting to const pointer src/sss_client/pam_sss.c:1461:73: error: cast from 'int **' to 'const void **' must have all intermediate pointers const qualified to be safe [-Werror,-Wcast-qual] pam_get_data(pamh, "pam_sss:password_expired_flag", (const void **) &exp_data); ^ Reviewed-by: Sumit Bose <sbose@redhat.com>

Remove useless assignment to function parameter Reported by: cppcheck void free_fun(struct info *info) free(info->name); free(info); info = NULL; ^^^^^^^^^^^ Assignment to function parameter has no effect outside the function. Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: do not reject abruptly If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Missing argument to domains= should fail auth When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: Remove authtok from PAM stack with OTP We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>

PAM: Add domains= option to pam_sss Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Test right variable after calling sss_atomic_read_s Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add ignore_authinfo_unavail option Resolves: https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Define compatible macros for some functions. Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam. This patch conditionally define macros for these function if they are not available. Compatible macros use standard functions vsyslog, getlogin Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Include header file security/pam_appl.h We need this file for declaration of pam functions pam_get_item, pam_putenv, pam_set_data, pam_strerror, pam_set_item There is already test in configure script for this header file, but it was not included in pam_sss.c sh-4.2$ git grep pam_appl.h src/external/pam.m4:AC_CHECK_HEADERS([security/pam_appl.h ... src/providers/data_provider_be.c:#include <security/pam_appl.h> src/providers/proxy/proxy.h:#include <security/pam_appl.h> src/providers/proxy/proxy_child.c:#include <security/pam_appl.h> src/responder/pam/pamsrv.h:#include <security/pam_appl.h> src/sss_client/pam_test_client.c:#include <security/pam_appl.h> src/util/auth_utils.h:#include <security/pam_appl.h> Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: macro PAM_DATA_REPLACE isn't available in openpam. This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663 "PAM: close socket fd with pam_set_data" Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5: Do not attempt to get a TGT after a password change using OTP https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

PAM: add ignore_unknown_user option https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Test return value of strdup Warnings reported by Coverity (12463,12464) Dereferencing a pointer that might be null pi->pam_authtok when calling strlen. Dereferencing a pointer that might be null action when calling strncmp. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

CLIENT: Remove unused macros PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD I cannot find in git history where these macro were used.

sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate. resolves: https://fedorahosted.org/sssd/ticket/1359

sss_client: Use SAFEALIGN_SETMEM_<type> macros where appropriate. https://fedorahosted.org/sssd/ticket/1359

PAM: fix handling the client fd in pam destructor * Protect the fd with a mutex when closing * Set it to a safe value after closing

PAM: close socket fd with pam_set_data https://fedorahosted.org/sssd/ticket/1569

Write SELinux config files in responder instead of PAM module

Move SELinux processing from session to account PAM stack The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.

SSS_CLIENT: Fix uninitialized value error This would cause a crash if we jump to the done: label before it has been allocated.

Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360

Always use positional arguments in translatable strings https://fedorahosted.org/sssd/ticket/1336

PAM_SSS: report error code if write fails clang had reported this as "value of ret is never used", I think it would be nice to report a meaningful error message.

Convert read and write operations to sss_atomic_read https://fedorahosted.org/sssd/ticket/1209

pam_sss: improve error handling in SELinux code

pam_sss: keep selinux optional Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Fix missing NULL check after malloc Coverity #12528

SELinux support in PAM module

Fixed incorrect return code in PAM client The original return code when SSSD was not running was system_err, now it is authinfo_unavail. https://fedorahosted.org/sssd/ticket/1011

Cleanup: Remove unused parameters

Added quiet option to pam_sss https://fedorahosted.org/sssd/ticket/894

Import config.h earlier On RHEL 5 and other older platforms, failing to set _GNU_SOURCE early would cause some functions - such as strndup() - to be unavailable.

Set _GNU_SOURCE globally

Use neutral name for functions used by both pam and nss

Fix wrong test in pam_sss

Fix segfault for PAM_TEXT_INFO conversations

Fix possible memory leak in do_pam_conversation https://fedorahosted.org/sssd/ticket/731

Fix improper bit manipulation in pam_sss https://fedorahosted.org/sssd/ticket/715

Fix cast warning for pam_sss.c

Avoid long long in messages to PAM client use int64_t

Properly handle read() and write() throughout the SSSD We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.

Add a missing free()

Avoid a potential double-free

Handle Krb5 password expiration warning

Add retry option to pam_sss

Improve the offline authentication message

Fix wrong return value If there was a failure during a password change a wrong return value was send back to the PAM stack.

Display a message if a password reset by root fails

Unset authentication tokens if password change fails

Use SO_PEERCRED on the PAM socket This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs

Allow arbitrary-length PAM messages The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.

Prompt for old password even when running as root When changing an expired password (during e.g. login) the PAM module needs to prompt for the old password even when running as root.

Warn user about an expired password

Define _GNU_SOURCE in pam_sss.c. _GNU_SOURCE needs to be defined when using strndup. Signed-off-by: George McCollister <georgem@novatech-llc.com>

Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.

Fix licensing issues for sss_client

Rename server/ directory to src/ Also update BUILD.txt