summaryrefslogtreecommitdiff
path: root/src/sss_client/pam_sss.c
AgeCommit message (Collapse)AuthorFilesLines
2012-10-12PAM: fix handling the client fd in pam destructorJakub Hrozek1-9/+2
* Protect the fd with a mutex when closing * Set it to a safe value after closing
2012-10-11PAM: close socket fd with pam_set_dataJakub Hrozek1-0/+25
https://fedorahosted.org/sssd/ticket/1569
2012-07-27Write SELinux config files in responder instead of PAM moduleJan Zeleny1-95/+0
2012-07-27Move SELinux processing from session to account PAM stackJan Zeleny1-55/+55
The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
2012-06-15SSS_CLIENT: Fix uninitialized value errorStephen Gallagher1-1/+1
This would cause a crash if we jump to the done: label before it has been allocated.
2012-06-14Provide "service filter" for SELinux contextJan Zeleny1-0/+20
At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
2012-05-22Always use positional arguments in translatable stringsStephen Gallagher1-2/+2
https://fedorahosted.org/sssd/ticket/1336
2012-05-02PAM_SSS: report error code if write failsJakub Hrozek1-2/+2
clang had reported this as "value of ret is never used", I think it would be nice to report a meaningful error message.
2012-04-20Convert read and write operations to sss_atomic_readJakub Hrozek1-25/+25
https://fedorahosted.org/sssd/ticket/1209
2012-04-18pam_sss: improve error handling in SELinux codeJakub Hrozek1-3/+5
2012-02-23pam_sss: keep selinux optionalSimo Sorce1-0/+6
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2012-02-13Fix missing NULL check after mallocStephen Gallagher1-0/+4
Coverity #12528
2012-02-06SELinux support in PAM moduleJan Zeleny1-1/+60
2011-12-08Fixed incorrect return code in PAM clientJan Zeleny1-1/+1
The original return code when SSSD was not running was system_err, now it is authinfo_unavail. https://fedorahosted.org/sssd/ticket/1011
2011-11-22Cleanup: Remove unused parametersJakub Hrozek1-8/+2
2011-09-20Added quiet option to pam_sssPavel Březina1-5/+25
https://fedorahosted.org/sssd/ticket/894
2011-05-23Import config.h earlierStephen Gallagher1-1/+1
On RHEL 5 and other older platforms, failing to set _GNU_SOURCE early would cause some functions - such as strndup() - to be unavailable.
2011-05-23Set _GNU_SOURCE globallySumit Bose1-4/+0
2011-02-11Use neutral name for functions used by both pam and nssSimo Sorce1-1/+1
2010-12-17Fix wrong test in pam_sssSimo Sorce1-1/+1
2010-12-16Fix segfault for PAM_TEXT_INFO conversationsStephen Gallagher1-1/+1
2010-12-15Fix possible memory leak in do_pam_conversationSumit Bose1-16/+28
https://fedorahosted.org/sssd/ticket/731
2010-12-14Fix improper bit manipulation in pam_sssSumit Bose1-1/+1
https://fedorahosted.org/sssd/ticket/715
2010-11-15Fix cast warning for pam_sss.cStephen Gallagher1-8/+11
2010-11-15Avoid long long in messages to PAM client use int64_tSumit Bose1-6/+6
2010-06-10Properly handle read() and write() throughout the SSSDStephen Gallagher1-1/+1
We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.
2010-06-09Add a missing free()Sumit Bose1-0/+1
2010-06-09Avoid a potential double-freeSumit Bose1-0/+1
2010-05-26Handle Krb5 password expiration warningSumit Bose1-1/+13
2010-05-07Add retry option to pam_sssSumit Bose1-92/+147
2010-05-07Improve the offline authentication messageJakub Hrozek1-2/+2
2010-04-30Fix wrong return valueSumit Bose1-15/+14
If there was a failure during a password change a wrong return value was send back to the PAM stack.
2010-04-26Display a message if a password reset by root failsSumit Bose1-8/+198
2010-04-26Unset authentication tokens if password change failsSumit Bose1-27/+52
2010-04-16Use SO_PEERCRED on the PAM socketSumit Bose1-1/+4
This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs
2010-03-25Allow arbitrary-length PAM messagesStephen Gallagher1-3/+20
The PAM standard allows for messages of any length to be returned to the client. We were discarding all messages of length greater than 255. This patch dynamically allocates the message buffers so we can pass the complete message. This resolves https://fedorahosted.org/sssd/ticket/432
2010-03-22Improvements for LDAP Password Policy supportRalf Haferkamp1-0/+82
Display warnings about remaining grace logins and password expiration to the user, when LDAP Password Policies are used. Improved detection if LDAP Password policies are supported by LDAP Server.
2010-03-15Prompt for old password even when running as rootRalf Haferkamp1-2/+4
When changing an expired password (during e.g. login) the PAM module needs to prompt for the old password even when running as root.
2010-03-15Warn user about an expired passwordRalf Haferkamp1-1/+6
2010-03-04Define _GNU_SOURCE in pam_sss.c.George McCollister1-0/+4
_GNU_SOURCE needs to be defined when using strndup. Signed-off-by: George McCollister <georgem@novatech-llc.com>
2010-02-23Handle expired passwords like other PAM modulesSumit Bose1-18/+31
So far we handled expired password during authentication. Other PAM modules typically detect expired password during account management and return PAM_NEW_AUTHTOK_REQD if the password is expired and should be changed. The PAM library then calls the change password routines. To meet these standards pam_sss is change accordingly. As a result it is now possible to update an expired password via ssh if sssd is running with PasswordAuthentication=yes. One drawback due to limitations of PAM is that the user now has to type his current password again before setting a new one.
2010-02-18Fix licensing issues for sss_clientStephen Gallagher1-3/+3
2010-02-18Rename server/ directory to src/Stephen Gallagher1-0/+1166
Also update BUILD.txt
generated by cgit (git 2.34.1) at 2024-11-16 13:14:04 +0000