35#include "shared/safealign.h"
47#define SSS_NSS_PROTOCOL_VERSION 1
48#define SSS_PAM_PROTOCOL_VERSION 3
49#define SSS_SUDO_PROTOCOL_VERSION 1
50#define SSS_AUTOFS_PROTOCOL_VERSION 1
51#define SSS_SSH_PROTOCOL_VERSION 0
52#define SSS_PAC_PROTOCOL_VERSION 1
55#define SSS_NAME_MAX LOGIN_NAME_MAX
57#define SSS_NAME_MAX 256
69 SSS_CLI_NULL = 0x0000,
72 SSS_GET_VERSION = 0x0001,
76 SSS_NSS_GETPWNAM = 0x0011,
77 SSS_NSS_GETPWUID = 0x0012,
78 SSS_NSS_SETPWENT = 0x0013,
79 SSS_NSS_GETPWENT = 0x0014,
80 SSS_NSS_ENDPWENT = 0x0015,
82 SSS_NSS_GETPWNAM_EX = 0x0019,
83 SSS_NSS_GETPWUID_EX = 0x001A,
87 SSS_NSS_GETGRNAM = 0x0021,
88 SSS_NSS_GETGRGID = 0x0022,
89 SSS_NSS_SETGRENT = 0x0023,
90 SSS_NSS_GETGRENT = 0x0024,
91 SSS_NSS_ENDGRENT = 0x0025,
92 SSS_NSS_INITGR = 0x0026,
94 SSS_NSS_GETGRNAM_EX = 0x0029,
95 SSS_NSS_GETGRGID_EX = 0x002A,
96 SSS_NSS_INITGR_EX = 0x002E,
101 SSS_NSS_GETALIASBYNAME = 0x0031,
102 SSS_NSS_GETALIASBYPORT = 0x0032,
103 SSS_NSS_SETALIASENT = 0x0033,
104 SSS_NSS_GETALIASENT = 0x0034,
105 SSS_NSS_ENDALIASENT = 0x0035,
109 SSS_NSS_GETHOSTTON = 0x0041,
110 SSS_NSS_GETNTOHOST = 0x0042,
111 SSS_NSS_SETETHERENT = 0x0043,
112 SSS_NSS_GETETHERENT = 0x0044,
113 SSS_NSS_ENDETHERENT = 0x0045,
118 SSS_NSS_GETHOSTBYNAME = 0x0051,
119 SSS_NSS_GETHOSTBYNAME2 = 0x0052,
120 SSS_NSS_GETHOSTBYADDR = 0x0053,
121 SSS_NSS_SETHOSTENT = 0x0054,
122 SSS_NSS_GETHOSTENT = 0x0055,
123 SSS_NSS_ENDHOSTENT = 0x0056,
127 SSS_NSS_SETNETGRENT = 0x0061,
128 SSS_NSS_GETNETGRENT = 0x0062,
129 SSS_NSS_ENDNETGRENT = 0x0063,
134 SSS_NSS_GETNETBYNAME = 0x0071,
135 SSS_NSS_GETNETBYADDR = 0x0072,
136 SSS_NSS_SETNETENT = 0x0073,
137 SSS_NSS_GETNETENT = 0x0074,
138 SSS_NSS_ENDNETENT = 0x0075,
143 SSS_NSS_GETPROTOBYNAME = 0x0081,
144 SSS_NSS_GETPROTOBYNUM = 0x0082,
145 SSS_NSS_SETPROTOENT = 0x0083,
146 SSS_NSS_GETPROTOENT = 0x0084,
147 SSS_NSS_ENDPROTOENT = 0x0085,
151 SSS_NSS_GETRPCBYNAME = 0x0091,
152 SSS_NSS_GETRPCBYNUM = 0x0092,
153 SSS_NSS_SETRPCENT = 0x0093,
154 SSS_NSS_GETRPCENT = 0x0094,
155 SSS_NSS_ENDRPCENT = 0x0095,
160 SSS_NSS_GETSERVBYNAME = 0x00A1,
161 SSS_NSS_GETSERVBYPORT = 0x00A2,
162 SSS_NSS_SETSERVENT = 0x00A3,
163 SSS_NSS_GETSERVENT = 0x00A4,
164 SSS_NSS_ENDSERVENT = 0x00A5,
169 SSS_NSS_GETSPNAM = 0x00B1,
170 SSS_NSS_GETSPUID = 0x00B2,
171 SSS_NSS_SETSPENT = 0x00B3,
172 SSS_NSS_GETSPENT = 0x00B4,
173 SSS_NSS_ENDSPENT = 0x00B5,
177 SSS_SUDO_GET_SUDORULES = 0x00C1,
178 SSS_SUDO_GET_DEFAULTS = 0x00C2,
181 SSS_AUTOFS_SETAUTOMNTENT = 0x00D1,
182 SSS_AUTOFS_GETAUTOMNTENT = 0x00D2,
183 SSS_AUTOFS_GETAUTOMNTBYNAME = 0x00D3,
184 SSS_AUTOFS_ENDAUTOMNTENT = 0x00D4,
187 SSS_SSH_GET_USER_PUBKEYS = 0x00E1,
188 SSS_SSH_GET_HOST_PUBKEYS = 0x00E2,
240 SSS_PAC_ADD_PAC_USER = 0x0101,
360#define SSS_START_OF_PAM_REQUEST 0x4d415049
361#define SSS_END_OF_PAM_REQUEST 0x4950414d
363#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available"
366 SSS_PAM_ITEM_EMPTY = 0x0000,
368 SSS_PAM_ITEM_SERVICE,
372 SSS_PAM_ITEM_AUTHTOK,
373 SSS_PAM_ITEM_NEWAUTHTOK,
374 SSS_PAM_ITEM_CLI_LOCALE,
375 SSS_PAM_ITEM_CLI_PID,
376 SSS_PAM_ITEM_REQUESTED_DOMAINS,
380#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
381#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
382#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
383#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
384#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
385#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
386#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
387#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
388#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
389#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
391#define SSS_NSS_MAX_ENTRIES 256
392#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
393struct sss_cli_req_data {
399#define SSS_CLI_SOCKET_TIMEOUT 300000
591enum prompt_config_type {
602enum prompt_config_type pc_get_type(
struct prompt_config *pc);
603const char *pc_get_password_prompt(
struct prompt_config *pc);
604const char *pc_get_2fa_1st_prompt(
struct prompt_config *pc);
605const char *pc_get_2fa_2nd_prompt(
struct prompt_config *pc);
606const char *pc_get_2fa_single_prompt(
struct prompt_config *pc);
607void pc_list_free(
struct prompt_config **pc_list);
608errno_t pc_list_add_password(
struct prompt_config ***pc_list,
610errno_t pc_list_add_2fa(
struct prompt_config ***pc_list,
611 const char *prompt_1st,
const char *prompt_2nd);
612errno_t pc_list_add_2fa_single(
struct prompt_config ***pc_list,
614errno_t pam_get_response_prompt_config(
struct prompt_config **pc_list,
int *len,
616errno_t pc_list_from_response(
int size, uint8_t *buf,
617 struct prompt_config ***pc_list);
619enum sss_netgr_rep_type {
620 SSS_NETGR_REP_TRIPLE = 1,
624enum sss_cli_error_codes {
625 ESSS_SSS_CLI_ERROR_START = 0x1000,
626 ESSS_BAD_PRIV_SOCKET,
629 ESSS_SERVER_NOT_TRUSTED,
631 ESSS_SOCKET_STAT_ERROR,
633 ESS_SSS_CLI_ERROR_MAX
636const char *ssscli_err2string(
int err);
638enum sss_status sss_cli_make_request_with_checks(
enum sss_cli_command cmd,
639 struct sss_cli_req_data *rd,
641 uint8_t **repbuf,
size_t *replen,
643 const char *socket_name);
646 struct sss_cli_req_data *rd,
647 uint8_t **repbuf,
size_t *replen,
651 struct sss_cli_req_data *rd,
653 uint8_t **repbuf,
size_t *replen,
657 struct sss_cli_req_data *rd,
658 uint8_t **repbuf,
size_t *replen,
660void sss_pam_close_fd(
void);
666int sss_pac_check_and_open(
void);
669 struct sss_cli_req_data *rd,
670 uint8_t **repbuf,
size_t *replen,
674 struct sss_cli_req_data *rd,
675 uint8_t **repbuf,
size_t *replen,
679 struct sss_cli_req_data *rd,
680 uint8_t **repbuf,
size_t *replen,
684 struct sss_cli_req_data *rd,
685 uint8_t **repbuf,
size_t *replen,
689 struct sss_cli_req_data *rd,
690 uint8_t **repbuf,
size_t *replen,
719errno_t sss_strnlen(
const char *str,
size_t maxlen,
size_t *len);
721void sss_nss_lock(
void);
722void sss_nss_unlock(
void);
723void sss_pam_lock(
void);
724void sss_pam_unlock(
void);
725void sss_nss_mc_lock(
void);
726void sss_nss_mc_unlock(
void);
727void sss_pac_lock(
void);
728void sss_pac_unlock(
void);
730errno_t sss_readrep_copy_string(
const char *in,
response_type
Types of different messages.
Definition: sss_cli.h:437
@ SSS_PAM_TEXT_MSG
A plain text message which should be displayed to the user.
Definition: sss_cli.h:458
@ SSS_PASSWORD_PROMPTING
Indicates that password prompting is possible.
Definition: sss_cli.h:478
@ SSS_PAM_ENV_ITEM
Set and environment variable with pam_putenv(3).
Definition: sss_cli.h:444
@ SSS_PAM_CERT_INFO
A message indicating that Smartcard/certificate based authentication is available and contains detail...
Definition: sss_cli.h:468
@ SSS_PAM_CERT_INFO_WITH_HINT
Same as SSS_PAM_CERT_INFO but user name might be missing and should be prompted for.
Definition: sss_cli.h:489
@ SSS_ENV_ITEM
Set and environment variable with putenv(3).
Definition: sss_cli.h:447
@ SSS_PAM_SYSTEM_INFO
Message for the system log.
Definition: sss_cli.h:438
@ SSS_CERT_AUTH_PROMPTING
Indicates that on the server side Smartcard/certificate based authentication is available for the sel...
Definition: sss_cli.h:483
@ SSS_PAM_PROMPT_CONFIG
Contains data which controls which credentials are expected and how the user is prompted for them.
Definition: sss_cli.h:492
@ SSS_PAM_OTP_INFO
A message which optionally may contain the name of the vendor, the ID of an OTP token and a challenge...
Definition: sss_cli.h:462
@ SSS_PAM_USER_INFO
A message which should be displayed to the user.
Definition: sss_cli.h:455
@ SSS_OTP
Indicates that the authtok was a OTP, so don't cache it.
Definition: sss_cli.h:475
@ SSS_ALL_ENV_ITEM
Set and environment variable with putenv(3) and pam_putenv(3).
Definition: sss_cli.h:450
@ SSS_PAM_DOMAIN_NAME
Name of the domain the user belongs too.
Definition: sss_cli.h:440
sss_authtok_type
The different types of authentication tokens.
Definition: sss_cli.h:331
@ SSS_AUTHTOK_TYPE_2FA
Authentication token has two factors, they may or may no contain a trailing \0.
Definition: sss_cli.h:341
@ SSS_AUTHTOK_TYPE_SC_PIN
Authentication token is a Smart Card PIN, it may or may no contain a trailing \0.
Definition: sss_cli.h:344
@ SSS_AUTHTOK_TYPE_PASSWORD
Authentication token is a password, it may or may no contain a trailing \0.
Definition: sss_cli.h:334
@ SSS_AUTHTOK_TYPE_SC_KEYPAD
Authentication token indicates Smart Card authentication is used and that the PIN will be entered at ...
Definition: sss_cli.h:347
@ SSS_AUTHTOK_TYPE_2FA_SINGLE
Authentication token has two factors in a single string, it may or may no contain a trailing \0.
Definition: sss_cli.h:351
@ SSS_AUTHTOK_TYPE_CCFILE
Authentication token is a path to a Kerberos credential cache file, it may or may no contain a traili...
Definition: sss_cli.h:337
@ SSS_AUTHTOK_TYPE_EMPTY
No authentication token available.
Definition: sss_cli.h:332
sss_cli_command
The allowed commands an SSS client can send to the SSSD.
Definition: sss_cli.h:67
@ SSS_GSSAPI_SEC_CTX
Establish GSSAPI security ctx.
Definition: sss_cli.h:237
@ SSS_NSS_GETLISTBYCERT
Takes the zero terminated string of the base64 encoded DER representation of a X509 certificate and r...
Definition: sss_cli.h:274
@ SSS_PAM_OPEN_SESSION
see pam_sm_open_session(3) for details
Definition: sss_cli.h:216
@ SSS_PAM_SETCRED
see pam_sm_setcred(3) for details
Definition: sss_cli.h:212
@ SSS_NSS_GETIDBYSID
Takes the zero terminated string representation of a SID and returns and returns the POSIX ID of the ...
Definition: sss_cli.h:255
@ SSS_PAM_CLOSE_SESSION
see pam_sm_close_session(3) for details
Definition: sss_cli.h:218
@ SSS_NSS_GET_SUBID_RANGES
Requests both subuid and subgid ranges defined for a user.
Definition: sss_cli.h:289
@ SSS_NSS_GETORIGBYNAME
Takes a zero terminated fully qualified name and returns a list of zero terminated strings with key-v...
Definition: sss_cli.h:262
@ SSS_GSSAPI_INIT
Initialize GSSAPI authentication.
Definition: sss_cli.h:236
@ SSS_PAM_ACCT_MGMT
see pam_sm_acct_mgmt(3) for details
Definition: sss_cli.h:214
@ SSS_CMD_RENEW
Renew a credential with a limited lifetime, e.g.
Definition: sss_cli.h:229
@ SSS_PAM_AUTHENTICATE
see pam_sm_authenticate(3) for details.
Definition: sss_cli.h:191
@ SSS_PAM_CHAUTHTOK
second run of the password change operation where the PAM_UPDATE_AUTHTOK flag is set and the real cha...
Definition: sss_cli.h:220
@ SSS_NSS_GETSIDBYNAME
Takes a zero terminated fully qualified name and returns the zero terminated string representation of...
Definition: sss_cli.h:243
@ SSS_NSS_GETSIDBYUID
Takes an unsigned 32bit integer (POSIX UID) and return the zero terminated string representation of t...
Definition: sss_cli.h:279
@ SSS_NSS_GETNAMEBYCERT
Takes the zero terminated string of the base64 encoded DER representation of a X509 certificate and r...
Definition: sss_cli.h:269
@ SSS_PAM_PREAUTH
Request which can be run before an authentication request to find out which authentication methods ar...
Definition: sss_cli.h:232
@ SSS_NSS_GETSIDBYID
Takes an unsigned 32bit integer (POSIX ID) and returns the zero terminated string representation of t...
Definition: sss_cli.h:247
@ SSS_NSS_GETSIDBYGID
Takes an unsigned 32bit integer (POSIX GID) and return the zero terminated string representation of t...
Definition: sss_cli.h:283
@ SSS_PAM_CHAUTHTOK_PRELIM
first run of the password change operation where the PAM_PRELIM_CHECK flag is set,...
Definition: sss_cli.h:225
@ SSS_NSS_GETNAMEBYSID
Takes the zero terminated string representation of a SID and returns the zero terminated fully qualif...
Definition: sss_cli.h:251
user_info_type
Different types of user messages.
Definition: sss_cli.h:523
@ SSS_PAM_USER_INFO_CHPASS_ERROR
Tell the user that a password change failed and optionally give a reason.
Definition: sss_cli.h:551
@ SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED
Tell the user how low a new authentication is delayed.
Definition: sss_cli.h:535
@ SSS_PAM_USER_INFO_OTP_CHPASS
Tell the user that he needs to kinit or login and logout to get a TGT after an OTP password change.
Definition: sss_cli.h:548
@ SSS_PAM_USER_INFO_OFFLINE_CHPASS
Definition: sss_cli.h:544
@ SSS_PAM_USER_INFO_EXPIRE_WARN
Warn the user that the password will expire soon.
Definition: sss_cli.h:564
@ SSS_PAM_USER_INFO_ACCOUNT_EXPIRED
Tell the user that the account has expired and optionally give a reason.
Definition: sss_cli.h:569
@ SSS_PAM_USER_INFO_GRACE_LOGIN
Warn the user that the password is expired and inform about the remaining number of grace logins.
Definition: sss_cli.h:559
@ SSS_PAM_USER_INFO_OFFLINE_AUTH
Inform the user that the authentication happened offline.
Definition: sss_cli.h:524