[PATCH] Do not always return PAM_SYSTEM_ERR when offline krb5 fails
by Jakub Hrozek
I noticed that if offline auth failed for any reason including mistyped
password, we would always print System Error. This makes auditing the
logs hard as it sounds like an internal error occured.
I don't like the header with a single inline function myself, but I
didn't want to clutter util.h with that function either. And we don't
have any shared header for that purpose at the moment..suggestions are
welcome.
11 years, 2 months
[PATCH 0/4] Create and use an auth token object
by Simo Sorce
The current way we handle with auth token is manual and very error prone.
The semanthics are also confusing and do not make clear how tokens are stored
such that manipulating them is difficult. For example it was unclar in the
code whether password tokens where 0 terminated and whether the length would
incliude the null termination byte or not.
This code creates a standard structure called sss_auth_token that has a full
set of getters and setters.
Simo.
Note: I wanted to make this structure completely opaque but it would have
required a lot more allocations and pointers, and made the patchset larger.
Fixes: https://fedorahosted.org/sssd/ticket/1586
Simo Sorce (4):
Code can only check for cached passwords
Add function to safely wipe memory.
Add authtok utility functions.
Change pam data auth tokens.
Makefile.am | 4 +
src/db/sysdb.h | 3 +-
src/db/sysdb_ops.c | 13 +-
src/providers/data_provider.h | 9 +-
src/providers/dp_auth_util.c | 77 ++++++----
src/providers/dp_pam_data_util.c | 113 ++++++++-------
src/providers/ipa/ipa_auth.c | 6 +-
src/providers/krb5/krb5_auth.c | 45 +++---
src/providers/krb5/krb5_child.c | 148 ++++++++++---------
src/providers/krb5/krb5_child_handler.c | 59 ++++++--
.../krb5/krb5_delayed_online_authentication.c | 50 ++++---
src/providers/krb5/krb5_renew_tgt.c | 18 +--
src/providers/ldap/ldap_auth.c | 90 +++++-------
src/providers/ldap/sdap_async.c | 4 +-
src/providers/ldap/sdap_async.h | 7 +-
src/providers/ldap/sdap_async_connection.c | 85 ++++++-----
src/providers/proxy/proxy.h | 7 +-
src/providers/proxy/proxy_auth.c | 14 +-
src/providers/proxy/proxy_child.c | 51 ++++---
src/responder/pam/pam_LOCAL_domain.c | 52 +++----
src/responder/pam/pamsrv_cmd.c | 159 ++++++++++++---------
src/tests/krb5_child-test.c | 13 +-
src/tests/sysdb-tests.c | 6 +-
src/util/authtok.c | 146 +++++++++++++++++++
src/util/authtok.h | 137 ++++++++++++++++++
src/util/util.c | 9 ++
src/util/util.h | 10 ++
27 files changed, 856 insertions(+), 479 deletions(-)
create mode 100644 src/util/authtok.c
create mode 100644 src/util/authtok.h
--
1.7.11.4
11 years, 3 months
Tool for querying SSSD database
by David Bambušek
Greetings,
my name is David Bambusek and I have just started working on my bachelor
thesis with topic "Tool for querying SSSD database". I would be very glad
if anyone, who has some interesting suggestion, information, recommendation
or any clue, that could possibly help me in my work, would email me wih it.
I would really strongly appreciate it.
Thank you all in advance
David Bambusek
11 years, 3 months
[PATCHES] SYSDB ghost fix
by Ondrej Kos
Here are two patches for the SYSDB:
[PATCH 1/2] SYSDB: replace ghost users properly
this fixes https://fedorahosted.org/sssd/ticket/1714
[PATCH 2/2] SYSDB: split sysdb_add_user
splits add_user code to more readable blocks
Patches are attached
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1013 Brno 1 office
irc: okos @ #brno
11 years, 3 months
[PATCH] LDAP: initialize refresh function handler
by Ondrej Kos
i noticed warning during compilation:
src/providers/ldap/sdap_sudo.c: In function 'sdap_sudo_schedule_refresh':
src/providers/ldap/sdap_sudo.c:1236:9: warning: 'send_fn' may be used
uninitialized in this function [-Wmaybe-uninitialized]
patch is attached
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1013 Brno 1 office
irc: okos @ #brno
11 years, 3 months