Age | Commit message (Collapse) | Author | Files | Lines |
|
On RHEL 5 and other older platforms, failing to set _GNU_SOURCE
early would cause some functions - such as strndup() - to be
unavailable.
|
|
|
|
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/731
|
|
https://fedorahosted.org/sssd/ticket/715
|
|
|
|
|
|
We need to guarantee at all times that reads and writes complete
successfully. This means that they must be checked for returning
EINTR and EAGAIN, and all writes must be wrapped in a loop to
ensure that they do not truncate their output.
|
|
|
|
|
|
|
|
|
|
|
|
If there was a failure during a password change a wrong return value was
send back to the PAM stack.
|
|
|
|
|
|
This is the second attempt to let the PAM client and the PAM responder
exchange their credentials, i.e. uid, gid and pid. Because this approach
does not require any message interchange between the client and the
server the protocol version number is not changed.
On the client side the connection is terminated it the responder is not
run by root. On the server side the effective uid and gid and the pid of
the client are available for future use.
The following additional changes are made by this patch:
- the checks of the ownership and the permissions on the PAM sockets are
enhanced
- internal error codes are introduced on the client side to generate
more specific log messages if an error occurs
|
|
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
|
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
|
When changing an expired password (during e.g. login) the PAM module needs
to prompt for the old password even when running as root.
|
|
|
|
_GNU_SOURCE needs to be defined when using strndup.
Signed-off-by: George McCollister <georgem@novatech-llc.com>
|
|
So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.
As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.
|
|
|
|
Also update BUILD.txt
|