1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
/*
* System Security Services Daemon. Client Interface for NSS and PAM.
*
* Copyright (C) Simo Sorce 2007
*
* You can used this header file in any way you see fit provided copyright
* notices are preserved.
*
*/
#ifndef _SSSCLI_H
#define _SSSCLI_H
#include <nss.h>
#include <pwd.h>
#include <grp.h>
/* SELinux will have a better way to regulate access if they are seprate
* Also a change in one of the pipes will not affect the others */
#define SSS_NSS_SOCKET_NAME "/var/lib/sss/pipes/nss"
#define SSS_PAM_SOCKET_NAME "/var/lib/sss/pipes/pam"
#define SSS_PROTOCOL_VERSION 0
enum sss_cli_command {
/* null */
SSS_CLI_NULL = 0x0000,
/* version */
SSS_GET_VERSION = 0x0001,
/* passwd */
SSS_NSS_GETPWNAM = 0x0011,
SSS_NSS_GETPWUID = 0x0012,
SSS_NSS_SETPWENT = 0x0013,
SSS_NSS_GETPWENT = 0x0014,
SSS_NSS_ENDPWENT = 0x0015,
/* group */
SSS_NSS_GETGRNAM = 0x0021,
SSS_NSS_GETGRGID = 0x0022,
SSS_NSS_SETGRENT = 0x0023,
SSS_NSS_GETGRENT = 0x0024,
SSS_NSS_ENDGRENT = 0x0025,
SSS_NSS_INITGR = 0x0026,
#if 0
/* aliases */
SSS_NSS_GETALIASBYNAME = 0x0031,
SSS_NSS_GETALIASBYPORT = 0x0032,
SSS_NSS_SETALIASENT = 0x0033,
SSS_NSS_GETALIASENT = 0x0034,
SSS_NSS_ENDALIASENT = 0x0035,
/* ethers */
SSS_NSS_GETHOSTTON = 0x0041,
SSS_NSS_GETNTOHOST = 0x0042,
SSS_NSS_SETETHERENT = 0x0043,
SSS_NSS_GETETHERENT = 0x0044,
SSS_NSS_ENDETHERENT = 0x0045,
/* hosts */
SSS_NSS_GETHOSTBYNAME = 0x0051,
SSS_NSS_GETHOSTBYNAME2 = 0x0052,
SSS_NSS_GETHOSTBYADDR = 0x0053,
SSS_NSS_SETHOSTENT = 0x0054,
SSS_NSS_GETHOSTENT = 0x0055,
SSS_NSS_ENDHOSTENT = 0x0056,
/* netgroup */
SSS_NSS_SETNETGRENT = 0x0061,
SSS_NSS_GETNETGRENT = 0x0062,
SSS_NSS_ENDNETGRENT = 0x0063,
/* SSS_NSS_INNETGR = 0x0064, */
/* networks */
SSS_NSS_GETNETBYNAME = 0x0071,
SSS_NSS_GETNETBYADDR = 0x0072,
SSS_NSS_SETNETENT = 0x0073,
SSS_NSS_GETNETENT = 0x0074,
SSS_NSS_ENDNETENT = 0x0075,
/* protocols */
SSS_NSS_GETPROTOBYNAME = 0x0081,
SSS_NSS_GETPROTOBYNUM = 0x0082,
SSS_NSS_SETPROTOENT = 0x0083,
SSS_NSS_GETPROTOENT = 0x0084,
SSS_NSS_ENDPROTOENT = 0x0085,
/* rpc */
SSS_NSS_GETRPCBYNAME = 0x0091,
SSS_NSS_GETRPCBYNUM = 0x0092,
SSS_NSS_SETRPCENT = 0x0093,
SSS_NSS_GETRPCENT = 0x0094,
SSS_NSS_ENDRPCENT = 0x0095,
/* services */
SSS_NSS_GETSERVBYNAME = 0x00A1,
SSS_NSS_GETSERVBYPORT = 0x00A2,
SSS_NSS_SETSERVENT = 0x00A3,
SSS_NSS_GETSERVENT = 0x00A4,
SSS_NSS_ENDSERVENT = 0x00A5,
/* shadow */
SSS_NSS_GETSPNAM = 0x00B1,
SSS_NSS_GETSPUID = 0x00B2,
SSS_NSS_SETSPENT = 0x00B3,
SSS_NSS_GETSPENT = 0x00B4,
SSS_NSS_ENDSPENT = 0x00B5,
#endif
/* PAM related calls */
SSS_PAM_AUTHENTICATE = 0x00F1,
SSS_PAM_SETCRED = 0x00F2,
SSS_PAM_ACCT_MGMT = 0x00F3,
SSS_PAM_OPEN_SESSION = 0x00F4,
SSS_PAM_CLOSE_SESSION = 0x00F5,
SSS_PAM_CHAUTHTOK = 0x00F6,
};
enum sss_authtok_type {
SSS_AUTHTOK_TYPE_EMPTY = 0x0000,
SSS_AUTHTOK_TYPE_PASSWORD = 0x0001,
};
#define END_OF_PAM_REQUEST 0x4950414d
#define SSS_NSS_MAX_ENTRIES 256
#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
struct sss_cli_req_data {
size_t len;
const void *data;
};
/* this is in milliseconds, wait up to 300 seconds */
#define SSS_CLI_SOCKET_TIMEOUT 300000
enum sss_status {
SSS_STATUS_UNAVAIL,
SSS_STATUS_SUCCESS
};
enum nss_status sss_nss_make_request(enum sss_cli_command cmd,
struct sss_cli_req_data *rd,
uint8_t **repbuf, size_t *replen,
int *errnop);
int sss_pam_make_request(enum sss_cli_command cmd,
struct sss_cli_req_data *rd,
uint8_t **repbuf, size_t *replen,
int *errnop);
#endif /* _SSSCLI_H */
#if 0
/* GETSPNAM Request:
*
* 0-X: string with name
*
* Replies:
*
* 0-3: 32bit unsigned number of results
* 4-7: 32bit unsigned (reserved/padding)
* For each result:
* 0-7: 64bit unsigned with Date of last change
* 8-15: 64bit unsigned with Min #days between changes
* 16-23: 64bit unsigned with Max #days between changes
* 24-31: 64bit unsigned with #days before pwd expires
* 32-39: 64bit unsigned with #days after pwd expires until account is disabled
* 40-47: 64bit unsigned with expiration date in days since 1970-01-01
* 48-55: 64bit unsigned (flags/reserved)
* 56-X: sequence of 2, 0 terminated, strings (name, pwd) 64bit padded
*/
#endif
|