diff options
| author | Jan Pazdziora <jpazdziora@redhat.com> | 2013-11-14 16:31:42 +0800 |
|---|---|---|
| committer | Jan Pazdziora <jpazdziora@redhat.com> | 2013-11-19 13:04:42 +0800 |
| commit | a8482a3c5a4d4b1cd318deb4630e2094341fd8ad (patch) | |
| tree | 43883ffadeac62f08a402e432c270d14dd207ee1 | |
| parent | 76f48ce8f7f4a90a930d57e40816251879faf997 (diff) | |
| download | mod_intercept_form_submit-a8482a3c5a4d4b1cd318deb4630e2094341fd8ad.tar.gz mod_intercept_form_submit-a8482a3c5a4d4b1cd318deb4630e2094341fd8ad.tar.xz mod_intercept_form_submit-a8482a3c5a4d4b1cd318deb4630e2094341fd8ad.zip | |
Set EXTERNAL_AUTH_ERROR variable upon PAM error.
| -rw-r--r-- | README | 3 | ||||
| -rw-r--r-- | mod_intercept_form_submit.c | 9 |
2 files changed, 9 insertions, 3 deletions
@@ -9,7 +9,8 @@ REMOTE_USER environment variable if the authentication passes. The internal r->user field is also set so other modules can use it (even if the module is invoked very late in the request processing). If the REMOTE_USER is already set (presumably by some previous module), no -authentication takes place. +authentication takes place. If the PAM authentication fails, environment +variable EXTERNAL_AUTH_ERROR is set to the string describing the error. The assumption is that the application will be amended to trust the REMOTE_USER value if it is set and skip its own login/password diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c index a0a6b00..833b29a 100644 --- a/mod_intercept_form_submit.c +++ b/mod_intercept_form_submit.c @@ -78,19 +78,24 @@ int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, struct p } #define _REMOTE_USER_ENV_NAME "REMOTE_USER" +#define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR" int pam_authenticate_with_login_password(request_rec * r, const char * pam_service, char * login, const char * password) { pam_handle_t * pamh = NULL; struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password }; int ret; if ((ret = pam_start(pam_service, login, &pam_conversation, &pamh)) != PAM_SUCCESS) { + const char * strerr = pam_strerror(pamh, ret); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, - "mod_intercept_form_submit: PAM transaction failed for service %s: %s", pam_service, pam_strerror(pamh, ret)); + "mod_intercept_form_submit: PAM transaction failed for service %s: %s", pam_service, strerr); + apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr)); pam_end(pamh, ret); return 0; } if ((ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) { + const char * strerr = pam_strerror(pamh, ret); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, - "mod_intercept_form_submit: PAM authentication failed for user %s: %s", login, pam_strerror(pamh, ret)); + "mod_intercept_form_submit: PAM authentication failed for user %s: %s", login, strerr); + apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr)); pam_end(pamh, ret); return 0; } |