summaryrefslogtreecommitdiff
path: root/src/providers/krb5/krb5_auth.c
AgeCommit message (Collapse)AuthorFilesLines
2013-09-09krb5: Add file/dir path precheckSimo Sorce1-0/+1
Add a precheck on the actual existence at all of the file/dir ccname targeted (for FILE/DIR types), and bail early if nothing is available. While testing I found out that without this check, the krb5_cc_resolve() function we call as user to check old paths would try to create the directory if it didn't exist. With a ccname of DIR:/tmp/ccdir_1000 saved in the user entry this would cause two undesirable side effects: First it would actually create a directory with the old name, when it should not. Second, because for some reason the umask is set to 0127 in sssd_be, it would create the directory with permission 600 (missing the 'x' traverse bit on the directory. If the new ccache has the same name it would cause the krb5_child process to fal to store the credential cache in it. Related: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Remove unused ccache backend infrastructureSimo Sorce1-26/+0
Remove struct sss_krb5_cc_be and the remaining functions that reference it as they are all unused now. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Unify function to create ccache filesSimo Sorce1-3/+3
Only 2 types (FILE and DIR) need to precreate files or directories on the file system, and the 2 functions were basically identical. Consolidate all in one common function and use that function directly where needed instead of using indirection. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use new function to validate ccachesSimo Sorce1-16/+14
This function replaces and combines check_for_valid_tgt() and type specific functions that checked for ccache existence by using generic krb5 cache function and executing them as the target user (implicitly validate the target use rcan properly access the ccache). Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: move template check to initializzationSimo Sorce1-4/+1
The randomized template check realy only makes sense for the FILE ccache which is the only one that normally needs to use randomizing chars. Also it is better to warn the admin early rather than to warn 'when it is too late'. So move the check at initialization time when we determine what the template actually is. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Move determination of user being activeSimo Sorce1-2/+8
The way a user is checked for being active does not depend on the ccache type so move that check out of the ccache specific functions. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Replace type-specific ccache/principal checkSimo Sorce1-7/+4
Instead of having duplicate functions that are type custom use a signle common function that also performs access to the cache as the user owner, implicitly validating correctness of ownership. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-09-09krb5: Use krb5_cc_destroy to remove old ccachesSimo Sorce1-45/+18
This completely replaces the per-ccache-type custom code to remove old cacches and instead uses libkrb5 base doperations (krb5_cc_destroy) and operating as the user owner. Resolves: https://fedorahosted.org/sssd/ticket/2061
2013-08-28krb5: Fetch ccname template from krb5.confStephen Gallagher1-2/+2
In order to use the same defaults in all system daemons that needs to know how to generate or search for ccaches we introduce ode here to take advantage of the new option called default_ccache_name provided by libkrb5. If set this variable we establish the same default for all programs that surce it out of krb5.conf therefore providing a consistent experience across the system. Related: https://fedorahosted.org/sssd/ticket/2036
2013-07-18KRB: Replace multiple calls with variableOndrej Kos1-6/+9
Instead of multiple calls of sss_authtok_get_type, perform the call just once and store into variable.
2013-07-18KRB: Handle empty password gracefullyOndrej Kos1-0/+11
https://fedorahosted.org/sssd/ticket/1814 Return authentication error when empty password is passed.
2013-06-27KRB5: guess UPN for subdomain usersJakub Hrozek1-1/+1
2013-06-24KRB5: use the right authtok type for renewalsSumit Bose1-3/+20
2013-06-14KRB: Handle preauthentication error correctlyOndrej Kos1-0/+6
https://fedorahosted.org/sssd/ticket/1873 KRB preauthentication error was later mishandled like authentication error.
2013-05-14Always update cached upn if enterprise principals are usedSumit Bose1-3/+4
Instead of continuing to use the initial upn if enterprise principals are used if should always be replaced. The enterprise principal is stored in the credential cache and without knowing it the ccache_for_princ() calls to determine the location of the credential cache will fail. Fixes https://fedorahosted.org/sssd/ticket/1921
2013-05-03Only check UPN if enterprise principals are not usedJakub Hrozek1-0/+5
If enterprise principals are enabled (which is the default in the AD provider), then the returned UPN might be slightly different from the one SSSD constructs before attempting the login. This patch makes SSSD only check if the principal is the same when the enterprise principals are disabled.
2013-04-12Fix krbcc dir creation issue with MIT krb5 1.11Lukas Slebodnik1-1/+11
In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir exists. If it doesn't exist, than it will be created with process permissions and not user permissions. Function cc_residual_is_used has already checked for non existing directory, but it wasn't considered to be a failure and therefore next call of krb5_init_context will create directory with wrong permissions. Now if directory doesn't exist, it will be handled like there was not ccache attribute in sysdb cache. We also check if "primary" file in ccache directory has right permissions. But we ignore missing "primary" file. https://fedorahosted.org/sssd/ticket/1822
2013-04-03Allow setting krb5_renew_interval with a delimiterAriel Barria1-3/+15
https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik1-5/+5
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1
2013-03-08Add support for krb5 1.11's responder callback.Nathaniel McCallum1-1/+1
krb5 1.11 adds support for a new method for responding to structured data queries. This method, called the responder, provides an alternative to the prompter interface. This patch adds support for this method. It takes the password and provides it via a responder instead of the prompter. In the case of OTP authentication, it also disables the caching of credentials (since the credentials are one-time only).
2013-03-04Cleanup error message handling for krb5 childSimo Sorce1-67/+80
Use the new internal SSSD errors, to simplify error handling. Instead of using up to 3 different error types (system, krb5 and pam_status), collapse all error reporting into one error type mapped on errno_t. The returned error can contain either SSSD internal errors, kerberos errors or system errors, they all use different number spaces so there is no overlap and they can be safely merged. This means that errors being sent from the child to the parent are not pam status error messages anymore. The callers have been changed to properly deal with that. Also note that this patch removes returning SSS_PAM_SYSTEM_INFO from the krb5_child for kerberos errors as all it was doing was simply to make the parent emit the same debug log already emitted by the child, and the code is simpler if we do not do that.
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce1-4/+4
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce1-7/+7
In preparation for making be_req opaque
2013-01-21Introduce be_req_terminate() helperSimo Sorce1-10/+3
Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
2013-01-21Remove sysdb as a be context structure memberSimo Sorce1-2/+2
The sysdb context is already available through the 'domain' structure.
2013-01-15Add domain argument to sysdb_cache_auth()Simo Sorce1-1/+5
2013-01-15Add domain argument to sysdb_cache_password()Simo Sorce1-3/+5
2013-01-15Add domain argument to sysdb_set_user_attr()Simo Sorce1-5/+8
2013-01-15Add domain argument to sysdb_get_user_attr()Simo Sorce1-7/+7
2013-01-10Change pam data auth tokens.Simo Sorce1-35/+23
Use the new authtok abstraction and interfaces throught the code.
2013-01-10Code can only check for cached passwordsSimo Sorce1-4/+17
Make it clear to the API users that we can not take arbitrary auth tokens. We can only take a password for now so simplify and clarify the interface.
2012-12-10let krb5_kpasswd failover workPavel Březina1-3/+7
https://fedorahosted.org/sssd/ticket/1680 There were two errors: 1. kr->kpasswd_srv was never set 2. bad service name (KERBEROS) was provided when setting port status, thus the port status never changed
2012-12-04Fix tevent_req style for krb5_authSimo Sorce1-358/+323
No functionality changes, just make the code respect the tevent_req style and naming conventions and enhance readability by adding some helper functions.
2012-11-12Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek1-1/+2
2012-10-26krb5_auth: update with correct UPN if neededSumit Bose1-0/+30
The Active Directory KDC handles request case in-sensitive and it might not always to possible to guess the UPN with the correct case. We check if the returned principal has a different case then the one used in the request and updates the principal if needed. This will help using calls from the Kerberos client libraries later on which would otherwise fail because the principal is handled case sensitive by those libraries.
2012-10-26Use find_or_guess_upn() where neededSumit Bose1-14/+13
2012-10-26krb5_mod_ccname: replace wrong memory contextSumit Bose1-1/+1
2012-10-26krb5_auth: check if principal belongs to a different realmSumit Bose1-0/+7
Add a flag if the principal used for authentication does not belong to our realm. This can be used to act differently for users from other realms.
2012-10-26krb5_auth_send: check for sub-domainsSumit Bose1-5/+15
If there is an authentication request for a user from a sub-domain a temporary sysdb context is generated to allow lookups in the corresponding sub-tree in the cache.
2012-10-04Log possibly non-randomizable ccache file templateOndrej Kos1-2/+5
fixes https://fedorahosted.org/sssd/ticket/1533 ccache file template is now checked for appended XXXXXX for use with mkstemp. When those characters are not present, warning is written to log.
2012-09-13FO: Check server validity before setting statusJakub Hrozek1-5/+9
The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
2012-09-10KRB5: Add a missing string argumentJakub Hrozek1-1/+2
2012-09-10KRB5: cancel the sysdb transaction on one place onlyJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1516 If sysdb_set_user_attr failed, we would cancel the transaction, then go to the error handler and attempt to close it again.
2012-08-23Unify usage of sysdb transactionsMichal Zidek1-2/+14
Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
2012-08-15KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek1-2/+4
https://fedorahosted.org/sssd/ticket/1452
2012-06-29KRB5: Initialize the credential cache type properlyStephen Gallagher1-0/+11
We weren't guaranteeing that the cctype-specific callbacks were initialized before using them. This bug only presented itself for users who were logging in without a ccacheFile attribute in the LDB (for example, first-time logins).
2012-06-14Add a credential cache back end structureJakub Hrozek1-101/+92
To be able to add support for new credential cache types easily, this patch creates a new structure sss_krb5_cc_be that defines common operations with a credential cache, such as create, check if used or remove.
2012-06-14Split parse_krb5_child_response so it can be reusedJakub Hrozek1-119/+27
krb5-child-test will be another consumer. It also makes the code more readable by splitting a huge function.
2012-05-07Only reset kpasswd server status when performing a chpass operationJakub Hrozek1-2/+3
https://fedorahosted.org/sssd/ticket/1316