sssd 2.6.1
sss_cli.h
1/*
2 SSSD
3
4 Client Interface for NSS and PAM.
5
6 Authors:
7 Simo Sorce <ssorce@redhat.com>
8
9 Copyright (C) Red Hat, Inc 2007
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU Lesser General Public License for more details.
20
21 You should have received a copy of the GNU Lesser General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
23*/
24
25#ifndef _SSSCLI_H
26#define _SSSCLI_H
27
28#include <nss.h>
29#include <pwd.h>
30#include <grp.h>
31#include <string.h>
32#include <stdint.h>
33#include <limits.h>
34
35#include "shared/safealign.h"
36
37#ifndef HAVE_ERRNO_T
38#define HAVE_ERRNO_T
39typedef int errno_t;
40#endif
41
42
43#ifndef EOK
44#define EOK 0
45#endif
46
47#define SSS_NSS_PROTOCOL_VERSION 1
48#define SSS_PAM_PROTOCOL_VERSION 3
49#define SSS_SUDO_PROTOCOL_VERSION 1
50#define SSS_AUTOFS_PROTOCOL_VERSION 1
51#define SSS_SSH_PROTOCOL_VERSION 0
52#define SSS_PAC_PROTOCOL_VERSION 1
53
54#ifdef LOGIN_NAME_MAX
55#define SSS_NAME_MAX LOGIN_NAME_MAX
56#else
57#define SSS_NAME_MAX 256
58#endif
59
68/* null */
69 SSS_CLI_NULL = 0x0000,
70
71/* version */
72 SSS_GET_VERSION = 0x0001,
73
74/* passwd */
75
76 SSS_NSS_GETPWNAM = 0x0011,
77 SSS_NSS_GETPWUID = 0x0012,
78 SSS_NSS_SETPWENT = 0x0013,
79 SSS_NSS_GETPWENT = 0x0014,
80 SSS_NSS_ENDPWENT = 0x0015,
81
82 SSS_NSS_GETPWNAM_EX = 0x0019,
83 SSS_NSS_GETPWUID_EX = 0x001A,
84
85/* group */
86
87 SSS_NSS_GETGRNAM = 0x0021,
88 SSS_NSS_GETGRGID = 0x0022,
89 SSS_NSS_SETGRENT = 0x0023,
90 SSS_NSS_GETGRENT = 0x0024,
91 SSS_NSS_ENDGRENT = 0x0025,
92 SSS_NSS_INITGR = 0x0026,
93
94 SSS_NSS_GETGRNAM_EX = 0x0029,
95 SSS_NSS_GETGRGID_EX = 0x002A,
96 SSS_NSS_INITGR_EX = 0x002E,
97
98#if 0
99/* aliases */
100
101 SSS_NSS_GETALIASBYNAME = 0x0031,
102 SSS_NSS_GETALIASBYPORT = 0x0032,
103 SSS_NSS_SETALIASENT = 0x0033,
104 SSS_NSS_GETALIASENT = 0x0034,
105 SSS_NSS_ENDALIASENT = 0x0035,
106
107/* ethers */
108
109 SSS_NSS_GETHOSTTON = 0x0041,
110 SSS_NSS_GETNTOHOST = 0x0042,
111 SSS_NSS_SETETHERENT = 0x0043,
112 SSS_NSS_GETETHERENT = 0x0044,
113 SSS_NSS_ENDETHERENT = 0x0045,
114#endif
115
116/* hosts */
117
118 SSS_NSS_GETHOSTBYNAME = 0x0051,
119 SSS_NSS_GETHOSTBYNAME2 = 0x0052,
120 SSS_NSS_GETHOSTBYADDR = 0x0053,
121 SSS_NSS_SETHOSTENT = 0x0054,
122 SSS_NSS_GETHOSTENT = 0x0055,
123 SSS_NSS_ENDHOSTENT = 0x0056,
124
125/* netgroup */
126
127 SSS_NSS_SETNETGRENT = 0x0061,
128 SSS_NSS_GETNETGRENT = 0x0062,
129 SSS_NSS_ENDNETGRENT = 0x0063,
130 /* SSS_NSS_INNETGR = 0x0064, */
131
132/* networks */
133
134 SSS_NSS_GETNETBYNAME = 0x0071,
135 SSS_NSS_GETNETBYADDR = 0x0072,
136 SSS_NSS_SETNETENT = 0x0073,
137 SSS_NSS_GETNETENT = 0x0074,
138 SSS_NSS_ENDNETENT = 0x0075,
139
140#if 0
141/* protocols */
142
143 SSS_NSS_GETPROTOBYNAME = 0x0081,
144 SSS_NSS_GETPROTOBYNUM = 0x0082,
145 SSS_NSS_SETPROTOENT = 0x0083,
146 SSS_NSS_GETPROTOENT = 0x0084,
147 SSS_NSS_ENDPROTOENT = 0x0085,
148
149/* rpc */
150
151 SSS_NSS_GETRPCBYNAME = 0x0091,
152 SSS_NSS_GETRPCBYNUM = 0x0092,
153 SSS_NSS_SETRPCENT = 0x0093,
154 SSS_NSS_GETRPCENT = 0x0094,
155 SSS_NSS_ENDRPCENT = 0x0095,
156#endif
157
158/* services */
159
160 SSS_NSS_GETSERVBYNAME = 0x00A1,
161 SSS_NSS_GETSERVBYPORT = 0x00A2,
162 SSS_NSS_SETSERVENT = 0x00A3,
163 SSS_NSS_GETSERVENT = 0x00A4,
164 SSS_NSS_ENDSERVENT = 0x00A5,
165
166#if 0
167/* shadow */
168
169 SSS_NSS_GETSPNAM = 0x00B1,
170 SSS_NSS_GETSPUID = 0x00B2,
171 SSS_NSS_SETSPENT = 0x00B3,
172 SSS_NSS_GETSPENT = 0x00B4,
173 SSS_NSS_ENDSPENT = 0x00B5,
174#endif
175
176/* SUDO */
177 SSS_SUDO_GET_SUDORULES = 0x00C1,
178 SSS_SUDO_GET_DEFAULTS = 0x00C2,
179
180/* autofs */
181 SSS_AUTOFS_SETAUTOMNTENT = 0x00D1,
182 SSS_AUTOFS_GETAUTOMNTENT = 0x00D2,
183 SSS_AUTOFS_GETAUTOMNTBYNAME = 0x00D3,
184 SSS_AUTOFS_ENDAUTOMNTENT = 0x00D4,
185
186/* SSH */
187 SSS_SSH_GET_USER_PUBKEYS = 0x00E1,
188 SSS_SSH_GET_HOST_PUBKEYS = 0x00E2,
189
190/* PAM related calls */
191 SSS_PAM_AUTHENTICATE = 0x00F1,
212 SSS_PAM_SETCRED = 0x00F2,
214 SSS_PAM_ACCT_MGMT = 0x00F3,
216 SSS_PAM_OPEN_SESSION = 0x00F4,
218 SSS_PAM_CLOSE_SESSION = 0x00F5,
220 SSS_PAM_CHAUTHTOK = 0x00F6,
225 SSS_PAM_CHAUTHTOK_PRELIM = 0x00F7,
229 SSS_CMD_RENEW = 0x00F8,
232 SSS_PAM_PREAUTH = 0x00F9,
239/* PAC responder calls */
240 SSS_PAC_ADD_PAC_USER = 0x0101,
241
242/* ID-SID mapping calls */
243SSS_NSS_GETSIDBYNAME = 0x0111,
247SSS_NSS_GETSIDBYID = 0x0112,
251SSS_NSS_GETNAMEBYSID = 0x0113,
255SSS_NSS_GETIDBYSID = 0x0114,
262SSS_NSS_GETORIGBYNAME = 0x0115,
269SSS_NSS_GETNAMEBYCERT = 0x0116,
274SSS_NSS_GETLISTBYCERT = 0x0117,
279SSS_NSS_GETSIDBYUID = 0x0118,
283SSS_NSS_GETSIDBYGID = 0x0119,
288/* subid */
289 SSS_NSS_GET_SUBID_RANGES = 0x0130,
291};
292 /* end of group sss_cli_command */
296
297 /* end of group sss_pam */
318
332 SSS_AUTHTOK_TYPE_EMPTY = 0x0000,
337 SSS_AUTHTOK_TYPE_CCFILE = 0x0002,
341 SSS_AUTHTOK_TYPE_2FA = 0x0003,
344 SSS_AUTHTOK_TYPE_SC_PIN = 0x0004,
354};
355 /* end of group sss_authtok_type */
359
360#define SSS_START_OF_PAM_REQUEST 0x4d415049
361#define SSS_END_OF_PAM_REQUEST 0x4950414d
362
363#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available"
364
365enum pam_item_type {
366 SSS_PAM_ITEM_EMPTY = 0x0000,
367 SSS_PAM_ITEM_USER,
368 SSS_PAM_ITEM_SERVICE,
369 SSS_PAM_ITEM_TTY,
370 SSS_PAM_ITEM_RUSER,
371 SSS_PAM_ITEM_RHOST,
372 SSS_PAM_ITEM_AUTHTOK,
373 SSS_PAM_ITEM_NEWAUTHTOK,
374 SSS_PAM_ITEM_CLI_LOCALE,
375 SSS_PAM_ITEM_CLI_PID,
376 SSS_PAM_ITEM_REQUESTED_DOMAINS,
377 SSS_PAM_ITEM_FLAGS,
378};
379
380#define PAM_CLI_FLAGS_USE_FIRST_PASS (1 << 0)
381#define PAM_CLI_FLAGS_FORWARD_PASS (1 << 1)
382#define PAM_CLI_FLAGS_USE_AUTHTOK (1 << 2)
383#define PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
384#define PAM_CLI_FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
385#define PAM_CLI_FLAGS_USE_2FA (1 << 5)
386#define PAM_CLI_FLAGS_ALLOW_MISSING_NAME (1 << 6)
387#define PAM_CLI_FLAGS_PROMPT_ALWAYS (1 << 7)
388#define PAM_CLI_FLAGS_TRY_CERT_AUTH (1 << 8)
389#define PAM_CLI_FLAGS_REQUIRE_CERT_AUTH (1 << 9)
390
391#define SSS_NSS_MAX_ENTRIES 256
392#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4)
393struct sss_cli_req_data {
394 size_t len;
395 const void *data;
396};
397
398/* this is in milliseconds, wait up to 300 seconds */
399#define SSS_CLI_SOCKET_TIMEOUT 300000
400
401enum sss_status {
402 SSS_STATUS_TRYAGAIN,
403 SSS_STATUS_UNAVAIL,
404 SSS_STATUS_SUCCESS
405};
406
438 SSS_PAM_SYSTEM_INFO = 0x01,
475 SSS_OTP,
495};
496
577}; /* end of group user_info_type */
581 /* end of group response_type */
585 /* end of group sss_pam_cli */
589
590
591enum prompt_config_type {
592 PC_TYPE_INVALID = 0,
593 PC_TYPE_PASSWORD,
594 PC_TYPE_2FA,
595 PC_TYPE_2FA_SINGLE,
596 PC_TYPE_SC_PIN,
597 PC_TYPE_LAST
598};
599
600struct prompt_config;
601
602enum prompt_config_type pc_get_type(struct prompt_config *pc);
603const char *pc_get_password_prompt(struct prompt_config *pc);
604const char *pc_get_2fa_1st_prompt(struct prompt_config *pc);
605const char *pc_get_2fa_2nd_prompt(struct prompt_config *pc);
606const char *pc_get_2fa_single_prompt(struct prompt_config *pc);
607void pc_list_free(struct prompt_config **pc_list);
608errno_t pc_list_add_password(struct prompt_config ***pc_list,
609 const char *prompt);
610errno_t pc_list_add_2fa(struct prompt_config ***pc_list,
611 const char *prompt_1st, const char *prompt_2nd);
612errno_t pc_list_add_2fa_single(struct prompt_config ***pc_list,
613 const char *prompt);
614errno_t pam_get_response_prompt_config(struct prompt_config **pc_list, int *len,
615 uint8_t **data);
616errno_t pc_list_from_response(int size, uint8_t *buf,
617 struct prompt_config ***pc_list);
618
619enum sss_netgr_rep_type {
620 SSS_NETGR_REP_TRIPLE = 1,
621 SSS_NETGR_REP_GROUP
622};
623
624enum sss_cli_error_codes {
625 ESSS_SSS_CLI_ERROR_START = 0x1000,
626 ESSS_BAD_PRIV_SOCKET,
627 ESSS_BAD_PUB_SOCKET,
628 ESSS_BAD_CRED_MSG,
629 ESSS_SERVER_NOT_TRUSTED,
630 ESSS_NO_SOCKET,
631 ESSS_SOCKET_STAT_ERROR,
632
633 ESS_SSS_CLI_ERROR_MAX
634};
635
636const char *ssscli_err2string(int err);
637
638enum sss_status sss_cli_make_request_with_checks(enum sss_cli_command cmd,
639 struct sss_cli_req_data *rd,
640 int timeout,
641 uint8_t **repbuf, size_t *replen,
642 int *errnop,
643 const char *socket_name);
644
645enum nss_status sss_nss_make_request(enum sss_cli_command cmd,
646 struct sss_cli_req_data *rd,
647 uint8_t **repbuf, size_t *replen,
648 int *errnop);
649
650enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd,
651 struct sss_cli_req_data *rd,
652 int timeout,
653 uint8_t **repbuf, size_t *replen,
654 int *errnop);
655
656int sss_pam_make_request(enum sss_cli_command cmd,
657 struct sss_cli_req_data *rd,
658 uint8_t **repbuf, size_t *replen,
659 int *errnop);
660void sss_pam_close_fd(void);
661
662/* Checks access to the PAC responder and opens the socket, if available.
663 * Required for processes like krb5_child that need to open the socket
664 * before dropping privs.
665 */
666int sss_pac_check_and_open(void);
667
668int sss_pac_make_request(enum sss_cli_command cmd,
669 struct sss_cli_req_data *rd,
670 uint8_t **repbuf, size_t *replen,
671 int *errnop);
672
673int sss_pac_make_request_with_lock(enum sss_cli_command cmd,
674 struct sss_cli_req_data *rd,
675 uint8_t **repbuf, size_t *replen,
676 int *errnop);
677
678int sss_sudo_make_request(enum sss_cli_command cmd,
679 struct sss_cli_req_data *rd,
680 uint8_t **repbuf, size_t *replen,
681 int *errnop);
682
683int sss_autofs_make_request(enum sss_cli_command cmd,
684 struct sss_cli_req_data *rd,
685 uint8_t **repbuf, size_t *replen,
686 int *errnop);
687
688int sss_ssh_make_request(enum sss_cli_command cmd,
689 struct sss_cli_req_data *rd,
690 uint8_t **repbuf, size_t *replen,
691 int *errnop);
692
693#if 0
694
695/* GETSPNAM Request:
696 *
697 * 0-X: string with name
698 *
699 * Replies:
700 *
701 * 0-3: 32bit unsigned number of results
702 * 4-7: 32bit unsigned (reserved/padding)
703 * For each result:
704 * 0-7: 64bit unsigned with Date of last change
705 * 8-15: 64bit unsigned with Min #days between changes
706 * 16-23: 64bit unsigned with Max #days between changes
707 * 24-31: 64bit unsigned with #days before pwd expires
708 * 32-39: 64bit unsigned with #days after pwd expires until account is disabled
709 * 40-47: 64bit unsigned with expiration date in days since 1970-01-01
710 * 48-55: 64bit unsigned (flags/reserved)
711 * 56-X: sequence of 2, 0 terminated, strings (name, pwd) 64bit padded
712 */
713#endif
714
715/* Return strlen(str) or maxlen, whichever is shorter
716 * Returns EINVAL if str is NULL, EFBIG if str is longer than maxlen
717 * _len will return the result
718 */
719errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len);
720
721void sss_nss_lock(void);
722void sss_nss_unlock(void);
723void sss_pam_lock(void);
724void sss_pam_unlock(void);
725void sss_nss_mc_lock(void);
726void sss_nss_mc_unlock(void);
727void sss_pac_lock(void);
728void sss_pac_unlock(void);
729
730errno_t sss_readrep_copy_string(const char *in,
731 size_t *offset,
732 size_t *slen,
733 size_t *dlen,
734 char **out,
735 size_t *size);
736
737enum pam_gssapi_cmd {
738 PAM_GSSAPI_GET_NAME,
739 PAM_GSSAPI_INIT,
740 PAM_GSSAPI_SENTINEL
741};
742
743#endif /* _SSSCLI_H */
response_type
Types of different messages.
Definition: sss_cli.h:437
@ SSS_PAM_TEXT_MSG
A plain text message which should be displayed to the user.
Definition: sss_cli.h:458
@ SSS_PASSWORD_PROMPTING
Indicates that password prompting is possible.
Definition: sss_cli.h:478
@ SSS_PAM_ENV_ITEM
Set and environment variable with pam_putenv(3).
Definition: sss_cli.h:444
@ SSS_PAM_CERT_INFO
A message indicating that Smartcard/certificate based authentication is available and contains detail...
Definition: sss_cli.h:468
@ SSS_PAM_CERT_INFO_WITH_HINT
Same as SSS_PAM_CERT_INFO but user name might be missing and should be prompted for.
Definition: sss_cli.h:489
@ SSS_ENV_ITEM
Set and environment variable with putenv(3).
Definition: sss_cli.h:447
@ SSS_PAM_SYSTEM_INFO
Message for the system log.
Definition: sss_cli.h:438
@ SSS_CERT_AUTH_PROMPTING
Indicates that on the server side Smartcard/certificate based authentication is available for the sel...
Definition: sss_cli.h:483
@ SSS_PAM_PROMPT_CONFIG
Contains data which controls which credentials are expected and how the user is prompted for them.
Definition: sss_cli.h:492
@ SSS_PAM_OTP_INFO
A message which optionally may contain the name of the vendor, the ID of an OTP token and a challenge...
Definition: sss_cli.h:462
@ SSS_PAM_USER_INFO
A message which should be displayed to the user.
Definition: sss_cli.h:455
@ SSS_OTP
Indicates that the authtok was a OTP, so don't cache it.
Definition: sss_cli.h:475
@ SSS_ALL_ENV_ITEM
Set and environment variable with putenv(3) and pam_putenv(3).
Definition: sss_cli.h:450
@ SSS_PAM_DOMAIN_NAME
Name of the domain the user belongs too.
Definition: sss_cli.h:440
sss_authtok_type
The different types of authentication tokens.
Definition: sss_cli.h:331
@ SSS_AUTHTOK_TYPE_2FA
Authentication token has two factors, they may or may no contain a trailing \0.
Definition: sss_cli.h:341
@ SSS_AUTHTOK_TYPE_SC_PIN
Authentication token is a Smart Card PIN, it may or may no contain a trailing \0.
Definition: sss_cli.h:344
@ SSS_AUTHTOK_TYPE_PASSWORD
Authentication token is a password, it may or may no contain a trailing \0.
Definition: sss_cli.h:334
@ SSS_AUTHTOK_TYPE_SC_KEYPAD
Authentication token indicates Smart Card authentication is used and that the PIN will be entered at ...
Definition: sss_cli.h:347
@ SSS_AUTHTOK_TYPE_2FA_SINGLE
Authentication token has two factors in a single string, it may or may no contain a trailing \0.
Definition: sss_cli.h:351
@ SSS_AUTHTOK_TYPE_CCFILE
Authentication token is a path to a Kerberos credential cache file, it may or may no contain a traili...
Definition: sss_cli.h:337
@ SSS_AUTHTOK_TYPE_EMPTY
No authentication token available.
Definition: sss_cli.h:332
sss_cli_command
The allowed commands an SSS client can send to the SSSD.
Definition: sss_cli.h:67
@ SSS_GSSAPI_SEC_CTX
Establish GSSAPI security ctx.
Definition: sss_cli.h:237
@ SSS_NSS_GETLISTBYCERT
Takes the zero terminated string of the base64 encoded DER representation of a X509 certificate and r...
Definition: sss_cli.h:274
@ SSS_PAM_OPEN_SESSION
see pam_sm_open_session(3) for details
Definition: sss_cli.h:216
@ SSS_PAM_SETCRED
see pam_sm_setcred(3) for details
Definition: sss_cli.h:212
@ SSS_NSS_GETIDBYSID
Takes the zero terminated string representation of a SID and returns and returns the POSIX ID of the ...
Definition: sss_cli.h:255
@ SSS_PAM_CLOSE_SESSION
see pam_sm_close_session(3) for details
Definition: sss_cli.h:218
@ SSS_NSS_GET_SUBID_RANGES
Requests both subuid and subgid ranges defined for a user.
Definition: sss_cli.h:289
@ SSS_NSS_GETORIGBYNAME
Takes a zero terminated fully qualified name and returns a list of zero terminated strings with key-v...
Definition: sss_cli.h:262
@ SSS_GSSAPI_INIT
Initialize GSSAPI authentication.
Definition: sss_cli.h:236
@ SSS_PAM_ACCT_MGMT
see pam_sm_acct_mgmt(3) for details
Definition: sss_cli.h:214
@ SSS_CMD_RENEW
Renew a credential with a limited lifetime, e.g.
Definition: sss_cli.h:229
@ SSS_PAM_AUTHENTICATE
see pam_sm_authenticate(3) for details.
Definition: sss_cli.h:191
@ SSS_PAM_CHAUTHTOK
second run of the password change operation where the PAM_UPDATE_AUTHTOK flag is set and the real cha...
Definition: sss_cli.h:220
@ SSS_NSS_GETSIDBYNAME
Takes a zero terminated fully qualified name and returns the zero terminated string representation of...
Definition: sss_cli.h:243
@ SSS_NSS_GETSIDBYUID
Takes an unsigned 32bit integer (POSIX UID) and return the zero terminated string representation of t...
Definition: sss_cli.h:279
@ SSS_NSS_GETNAMEBYCERT
Takes the zero terminated string of the base64 encoded DER representation of a X509 certificate and r...
Definition: sss_cli.h:269
@ SSS_PAM_PREAUTH
Request which can be run before an authentication request to find out which authentication methods ar...
Definition: sss_cli.h:232
@ SSS_NSS_GETSIDBYID
Takes an unsigned 32bit integer (POSIX ID) and returns the zero terminated string representation of t...
Definition: sss_cli.h:247
@ SSS_NSS_GETSIDBYGID
Takes an unsigned 32bit integer (POSIX GID) and return the zero terminated string representation of t...
Definition: sss_cli.h:283
@ SSS_PAM_CHAUTHTOK_PRELIM
first run of the password change operation where the PAM_PRELIM_CHECK flag is set,...
Definition: sss_cli.h:225
@ SSS_NSS_GETNAMEBYSID
Takes the zero terminated string representation of a SID and returns the zero terminated fully qualif...
Definition: sss_cli.h:251
user_info_type
Different types of user messages.
Definition: sss_cli.h:523
@ SSS_PAM_USER_INFO_CHPASS_ERROR
Tell the user that a password change failed and optionally give a reason.
Definition: sss_cli.h:551
@ SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED
Tell the user how low a new authentication is delayed.
Definition: sss_cli.h:535
@ SSS_PAM_USER_INFO_OTP_CHPASS
Tell the user that he needs to kinit or login and logout to get a TGT after an OTP password change.
Definition: sss_cli.h:548
@ SSS_PAM_USER_INFO_OFFLINE_CHPASS
Definition: sss_cli.h:544
@ SSS_PAM_USER_INFO_EXPIRE_WARN
Warn the user that the password will expire soon.
Definition: sss_cli.h:564
@ SSS_PAM_USER_INFO_ACCOUNT_EXPIRED
Tell the user that the account has expired and optionally give a reason.
Definition: sss_cli.h:569
@ SSS_PAM_USER_INFO_GRACE_LOGIN
Warn the user that the password is expired and inform about the remaining number of grace logins.
Definition: sss_cli.h:559
@ SSS_PAM_USER_INFO_OFFLINE_AUTH
Inform the user that the authentication happened offline.
Definition: sss_cli.h:524