PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add a test for filter_responses() Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: return a fully-qualified name Related to https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: only set PKCS11_LOGIN_TOKEN_NAME if gdm-smartcard is used Resolves https://fedorahosted.org/sssd/ticket/3165 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: Use qualified names internally in the PAM responder The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com>

TESTS: Start fixing the PAM responder tests for fully qualified names in sysdb Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Responders: Make the client context more generic This is useufl to allow reusing the responder code with other protocols. Store protocol data and responder state data behind opaque pointers and use tallog_get_type to check they are of the right type. This also allows to store per responder state_ctx so that, for example, the autofs responder does not have to carry useless variables used only by the nss responder. Resolves: https://fedorahosted.org/sssd/ticket/2918 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Fix warning unused-function If pam-srv-tests is not build with NSS support then certificate related test are not executed and therefore there is unused setup function pam_test_setup_no_verification. src/tests/cmocka/test_pam_srv.c:323:12: error: 'pam_test_setup_no_verification' defined but not used [-Werror=unused-function] static int pam_test_setup_no_verification(void **state) ^ Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Increase cached_auth_timeout The execution sysdb_cache_password_ex can be slow due to function s3crypt_sha512 and valgrind slowdown. Therefore 2 seconds timeout can be reached in possitive tests test_pam_cached_auth_success and test_pam_cached_auth_success_combined_pw_with_cached_2fa Resolves: https://fedorahosted.org/sssd/ticket/2994 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add PKCS11_LOGIN_TOKEN_NAME environment variable The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome Settings Daemon to determine the name of the token used for login. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

p11: add no_verification option Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

RESPONDER: Removing ncache from pam_ctx This patch switches ncache from pam_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

RESPONDER: Removing neg_timeout from nss responder Timeout of negative cahce is handled by internal negative cache context. This patch removes neg_timeout from struct nss_ctx. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

NEGCACHE: Adding timeout to struct sss_nc_ctx It adds timeout of negative cache to handling struct sss_nc_ctx. There is one change in API of negatice cache: * int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, <----- new struct sss_nc_ctx **_ctx); There is also one new function in common/responder: * errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb, uint32_t *ncache_timeout); Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pam-srv-tests: Reuse test directory for IO tests This patch is related to commit 50c9d542e8bf641412debaa82a4dcf67ddb72258 "tests: Use unique name for TEST_PATH" It's better to do IO operation in common test directory to prevent conflict with other test (copy & paste errors) Reviewed-by: Pavel Březina <pbrezina@redhat.com>

p11: enable ocsp checks This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

pam-srv-tests: Add UT for cached 'online' auth. Extend PAM responder unit test to check 'online' cached authentication. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam-srv-tests: split pam_test_setup() so it can be reused Split pam_test_setup() so domain and pam parameters can be easily set distinctly for each test. Resolves: https://fedorahosted.org/sssd/ticket/2697 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

pam-srv-tests: Change service name It would be better to not use 'ssh' or 'sshd' here at all but something like 'pam_test_service' to indicate that it is a generic name. Because a default value should not lead to a code path which handles a special case. The general PAM responder test should not run through the 'sshd' case in pam_reply() only if the service is set explicitly to 'sshd' this features should be tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

PAM: only allow missing user name for certificate authentication Resolves: https://fedorahosted.org/sssd/ticket/2811 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

test_pam_srv: Run cert test only with NSS Reviewed-by: Michal Židek <mzidek@redhat.com>

tests: Set p11_child_timeout to 30 in tests Ticket: https://fedorahosted.org/sssd/ticket/2773 Add way to set pam specific options in pam_test_setup adn use it to set the p11_child_timeout value to 30. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

tests: Use unique name for TEST_PATH We had a cases in patch where two tests were using the same TEST_PATH and therefore they were stepping each other to the same files which caused failures. These failures are not easy to reproduce. This patch uses macro BASE_FILE_STEM for unique name. It should prevent copy&paste problem resulting to intermittent failures. @see also https://www.gnu.org/software/make/manual/html_node/Automatic-Variables.html Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add certificate support to PAM (pre-)auth requests Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Minor code improvements pam_helpers.h had to be included after util.h. Removed exara empty line. Fixed code alignment Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

PAM: add PAM responder unit test Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>