PAM: call free only when memory is expected to be allocated Reborted by Coverity Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: check PKCS11_LOGIN_TOKEN_NAME Check if PKCS11_LOGIN_TOKEN_NAME is set and prompt the user if the matching Smartcard is not inserted. Related to https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM/KRB5: optional otp and password prompting Depending on the available Kerberos pre-authentication methods pam_sss will prompt the user for a password, 2 authentication factors or both. Resolves https://fedorahosted.org/sssd/ticket/2988 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: add pam_sss option allow_missing_name With this option SSSD can be used with the gdm Smartcard feature. Resolves: https://fedorahosted.org/sssd/ticket/2941 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam_sss: reorder pam_message array There are different expectations about how the pam_message array is organized, details can be found in the pam_conv man page. E.g. sudo was not able to handle the Linux-PAM style but expected the Solaris PAM style. With this patch both styles should work as expected. Resolves https://fedorahosted.org/sssd/ticket/2971 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Function 2string for enum sss_cli_command Improvement of debug messages. Instead of:"(0x0400): Running command [17]..." We could see:"(0x0400): Running command [17][SSS_NSS_GETPWNAM]..." (It's not used in sss_client. There are only hex numbers of commands.) Resolves: https://fedorahosted.org/sssd/ticket/2708 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: add sc support Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam_sss: move message encoding into separate file Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_sss: add pre-auth and 2fa support Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

utils: add sss_authtok_[gs]et_2fa Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam_client: fix casting to const pointer src/sss_client/pam_sss.c:1461:73: error: cast from 'int **' to 'const void **' must have all intermediate pointers const qualified to be safe [-Werror,-Wcast-qual] pam_get_data(pamh, "pam_sss:password_expired_flag", (const void **) &exp_data); ^ Reviewed-by: Sumit Bose <sbose@redhat.com>

Remove useless assignment to function parameter Reported by: cppcheck void free_fun(struct info *info) free(info->name); free(info); info = NULL; ^^^^^^^^^^^ Assignment to function parameter has no effect outside the function. Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: do not reject abruptly If account has expired then pass message. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Missing argument to domains= should fail auth When the administrator sets the domains= list, he usually wants to restrict the set of domains. An empty list is an undefined configuration and it's safer to fail then. https://fedorahosted.org/sssd/ticket/2516 Reviewed-by: Pavel Reichl <preichl@redhat.com>

PAM: Remove authtok from PAM stack with OTP We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>

PAM: Add domains= option to pam_sss Design document: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Fixes: https://fedorahosted.org/sssd/ticket/1021 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Sven-Thorsten Dietrich <sven@brocade.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: Test right variable after calling sss_atomic_read_s Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add ignore_authinfo_unavail option Resolves: https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Define compatible macros for some functions. Functions pam_vsyslog and pam_modutil_getlogin are not available in openpam. This patch conditionally define macros for these function if they are not available. Compatible macros use standard functions vsyslog, getlogin Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: Include header file security/pam_appl.h We need this file for declaration of pam functions pam_get_item, pam_putenv, pam_set_data, pam_strerror, pam_set_item There is already test in configure script for this header file, but it was not included in pam_sss.c sh-4.2$ git grep pam_appl.h src/external/pam.m4:AC_CHECK_HEADERS([security/pam_appl.h ... src/providers/data_provider_be.c:#include <security/pam_appl.h> src/providers/proxy/proxy.h:#include <security/pam_appl.h> src/providers/proxy/proxy_child.c:#include <security/pam_appl.h> src/responder/pam/pamsrv.h:#include <security/pam_appl.h> src/sss_client/pam_test_client.c:#include <security/pam_appl.h> src/util/auth_utils.h:#include <security/pam_appl.h> Reviewed-by: Sumit Bose <sbose@redhat.com>

PAM: macro PAM_DATA_REPLACE isn't available in openpam. This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663 "PAM: close socket fd with pam_set_data" Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

KRB5: Do not attempt to get a TGT after a password change using OTP https://fedorahosted.org/sssd/ticket/2271 The current krb5_child code attempts to get a TGT for the convenience of the user using the new password after a password change operation. However, an OTP should never be used twice, which means we can't perform the kinit operation after chpass is finished. Instead, we only print a PAM information instructing the user to log out and back in manually. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

PAM: add ignore_unknown_user option https://fedorahosted.org/sssd/ticket/2232 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Test return value of strdup Warnings reported by Coverity (12463,12464) Dereferencing a pointer that might be null pi->pam_authtok when calling strlen. Dereferencing a pointer that might be null action when calling strncmp. Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>

CLIENT: Remove unused macros PAM_SM_AUTH, PAM_SM_ACCOUNT, PAM_SM_SESSION, PAM_SM_PASSWORD I cannot find in git history where these macro were used.

sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate. resolves: https://fedorahosted.org/sssd/ticket/1359

sss_client: Use SAFEALIGN_SETMEM_<type> macros where appropriate. https://fedorahosted.org/sssd/ticket/1359

PAM: fix handling the client fd in pam destructor * Protect the fd with a mutex when closing * Set it to a safe value after closing

PAM: close socket fd with pam_set_data https://fedorahosted.org/sssd/ticket/1569

Write SELinux config files in responder instead of PAM module

Move SELinux processing from session to account PAM stack The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.

SSS_CLIENT: Fix uninitialized value error This would cause a crash if we jump to the done: label before it has been allocated.

Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360

Always use positional arguments in translatable strings https://fedorahosted.org/sssd/ticket/1336

PAM_SSS: report error code if write fails clang had reported this as "value of ret is never used", I think it would be nice to report a meaningful error message.

Convert read and write operations to sss_atomic_read https://fedorahosted.org/sssd/ticket/1209

pam_sss: improve error handling in SELinux code

pam_sss: keep selinux optional Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

Fix missing NULL check after malloc Coverity #12528

SELinux support in PAM module

Fixed incorrect return code in PAM client The original return code when SSSD was not running was system_err, now it is authinfo_unavail. https://fedorahosted.org/sssd/ticket/1011

Cleanup: Remove unused parameters

Added quiet option to pam_sss https://fedorahosted.org/sssd/ticket/894

Import config.h earlier On RHEL 5 and other older platforms, failing to set _GNU_SOURCE early would cause some functions - such as strndup() - to be unavailable.

Set _GNU_SOURCE globally

Use neutral name for functions used by both pam and nss

Fix wrong test in pam_sss

Fix segfault for PAM_TEXT_INFO conversations

Fix possible memory leak in do_pam_conversation https://fedorahosted.org/sssd/ticket/731

Fix improper bit manipulation in pam_sss https://fedorahosted.org/sssd/ticket/715

Fix cast warning for pam_sss.c

Avoid long long in messages to PAM client use int64_t

Properly handle read() and write() throughout the SSSD We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.

Add a missing free()

Avoid a potential double-free

Handle Krb5 password expiration warning

Add retry option to pam_sss

Improve the offline authentication message

Fix wrong return value If there was a failure during a password change a wrong return value was send back to the PAM stack.

Display a message if a password reset by root fails

Unset authentication tokens if password change fails

Use SO_PEERCRED on the PAM socket This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs

Allow arbitrary-length PAM messages The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432

Improvements for LDAP Password Policy support Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.

Prompt for old password even when running as root When changing an expired password (during e.g. login) the PAM module needs to prompt for the old password even when running as root.

Warn user about an expired password

Define _GNU_SOURCE in pam_sss.c. _GNU_SOURCE needs to be defined when using strndup. Signed-off-by: George McCollister <georgem@novatech-llc.com>

Handle expired passwords like other PAM modules So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.

Fix licensing issues for sss_client

Rename server/ directory to src/ Also update BUILD.txt