summaryrefslogtreecommitdiffstats
path: root/src/responder
diff options
context:
space:
mode:
authorPavel Reichl <preichl@redhat.com>2015-02-19 11:50:54 -0500
committerJakub Hrozek <jhrozek@redhat.com>2015-02-23 13:47:55 +0100
commitf3c2dc1f9ccdf456fd78ed96197b9bf404cc29fc (patch)
tree8f5227b75a672a3d459f961fd696b90f13f6a45e /src/responder
parente039f1aefecc65a7b3c2d4a13a612bff1dd367c8 (diff)
downloadsssd-f3c2dc1f9ccdf456fd78ed96197b9bf404cc29fc.tar.gz
sssd-f3c2dc1f9ccdf456fd78ed96197b9bf404cc29fc.tar.xz
sssd-f3c2dc1f9ccdf456fd78ed96197b9bf404cc29fc.zip
PAM: warn all services about account expiration
if pam_verbose is above one then output warning about account expiration for all services. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/responder')
-rw-r--r--src/responder/pam/pamsrv_cmd.c19
1 files changed, 17 insertions, 2 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a9c1b49d7..ab8369b0f 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -546,11 +546,20 @@ static void pam_reply(struct pam_auth_req *preq)
time_t exp_date = -1;
time_t delay_until = -1;
char* pam_account_expired_message;
+ int pam_verbosity;
pd = preq->pd;
cctx = preq->cctx;
pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read PAM verbosity, not fatal.\n");
+ pam_verbosity = DEFAULT_PAM_VERBOSITY;
+ }
DEBUG(SSSDBG_FUNC_DATA,
"pam_reply called with result [%d].\n", pd->pam_status);
@@ -659,8 +668,14 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL &&
- strcasecmp(pd->service, "sshd") == 0) {
+ /* Account expiration warning is printed for sshd. If pam_verbosity
+ * is equal or above PAM_VERBOSITY_INFO then all services are informed
+ * about account expiration.
+ */
+ if (pd->pam_status == PAM_ACCT_EXPIRED &&
+ ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) ||
+ pam_verbosity >= PAM_VERBOSITY_INFO)) {
+
ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
&pam_account_expired_message);