diff options
| -rw-r--r-- | src/confdb/confdb.h | 1 | ||||
| -rw-r--r-- | src/config/SSSDConfig.py | 1 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
| -rw-r--r-- | src/man/sssd.conf.5.xml | 31 | ||||
| -rw-r--r-- | src/providers/data_provider.h | 1 | ||||
| -rw-r--r-- | src/providers/dp_pam_data_util.c | 1 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 101 |
7 files changed, 126 insertions, 11 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 5726ad5dc..eccb98d36 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -80,6 +80,7 @@ #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0 #define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay" #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5 +#define CONFDB_PAM_VERBOSITY "pam_verbosity" /* Data Provider */ #define CONFDB_DP_CONF_ENTRY "config/dp" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index d27d2f8a6..1f54b4757 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -63,6 +63,7 @@ option_strings = { 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), 'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'), 'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'), + 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'), # [provider] 'id_provider' : _('Identity provider'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index ca85ed709..3bd0cc490 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -33,6 +33,7 @@ pwfield = str, None, false offline_credentials_expiration = int, None, false offline_failed_login_attempts = int, None, false offline_failed_login_delay = int, None, false +pam_verbosity = int, None, false [provider] #Available provider types diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 60ba169bd..2bba38050 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -409,6 +409,37 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>pam_verbosity (integer)</term> + <listitem> + <para> + Controls what kind of messages are shown to the user + during authentication. The higher the number to more + messages are displayed. + </para> + <para> + Currently sssd supports the following values: + </para> + <para> + <emphasis>0</emphasis>: do not show any message + </para> + <para> + <emphasis>1</emphasis>: show only important + messages + </para> + <para> + <emphasis>2</emphasis>: show informational messages + </para> + <para> + <emphasis>3</emphasis>: show all messages and debug + information + </para> + <para> + Default: 1 + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> </refsect1> diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 062c36e34..819a2d770 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -159,6 +159,7 @@ struct response_data { int32_t type; int32_t len; uint8_t *data; + bool do_not_send_to_client; struct response_data *next; }; diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c index d709447d1..5c06a81ba 100644 --- a/src/providers/dp_pam_data_util.c +++ b/src/providers/dp_pam_data_util.c @@ -163,6 +163,7 @@ int pam_add_response(struct pam_data *pd, enum response_type type, new->len = len; new->data = talloc_memdup(pd, data, len); if (new->data == NULL) return ENOMEM; + new->do_not_send_to_client = false; new->next = pd->resp_list; pd->resp_list = new; diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 1ba6f17f7..25031e198 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -31,6 +31,15 @@ #include "responder/pam/pamsrv.h" #include "db/sysdb.h" +enum pam_verbosity { + PAM_VERBOSITY_NO_MESSAGES = 0, + PAM_VERBOSITY_IMPORTANT, + PAM_VERBOSITY_INFO, + PAM_VERBOSITY_DEBUG +}; + +#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT + static void pam_reply(struct pam_auth_req *preq); static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) { @@ -319,6 +328,59 @@ fail: return ret; } +static errno_t filter_responses(struct response_data *resp_list, + int pam_verbosity) +{ + struct response_data *resp; + uint32_t user_info_type; + int64_t expire_date; + + resp = resp_list; + + while(resp != NULL) { + if (resp->type == SSS_PAM_USER_INFO) { + if (resp->len < sizeof(uint32_t)) { + DEBUG(1, ("User info entry is too short.\n")); + return EINVAL; + } + + if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) { + resp->do_not_send_to_client = true; + resp = resp->next; + continue; + } + + memcpy(&user_info_type, resp->data, sizeof(uint32_t)); + + resp->do_not_send_to_client = false; + switch (user_info_type) { + case SSS_PAM_USER_INFO_OFFLINE_AUTH: + if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) { + DEBUG(1, ("User info offline auth entry is " + "too short.\n")); + return EINVAL; + } + memcpy(&expire_date, resp->data + sizeof(uint32_t), + sizeof(int64_t)); + if ((expire_date == 0 && + pam_verbosity < PAM_VERBOSITY_INFO) || + (expire_date > 0 && + pam_verbosity < PAM_VERBOSITY_IMPORTANT)) { + resp->do_not_send_to_client = true; + } + + break; + default: + DEBUG(7, ("User info type [%d] not filtered.\n")); + } + } + + resp = resp->next; + } + + return EOK; +} + static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, struct timeval tv, void *pvt) { @@ -352,9 +414,12 @@ static void pam_reply(struct pam_auth_req *preq) uint32_t user_info_type; time_t exp_date = -1; time_t delay_until = -1; + int pam_verbosity = 0; pd = preq->pd; cctx = preq->cctx; + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + DEBUG(4, ("pam_reply get called.\n")); @@ -376,9 +441,6 @@ static void pam_reply(struct pam_auth_req *preq) goto done; } - pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, - struct pam_ctx); - ret = sysdb_cache_auth(preq, sysdb, preq->domain, pd->user, pd->authtok, pd->authtok_size, @@ -453,6 +515,19 @@ static void pam_reply(struct pam_auth_req *preq) goto done; } + ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, + &pam_verbosity); + if (ret != EOK) { + DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n")); + pam_verbosity = 0; + } + + ret = filter_responses(pd->resp_list, pam_verbosity); + if (ret != EOK) { + DEBUG(1, ("filter_responses failed, not fatal.\n")); + } + if (pd->domain != NULL) { pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1, (uint8_t *) pd->domain); @@ -462,8 +537,10 @@ static void pam_reply(struct pam_auth_req *preq) resp_size = 0; resp = pd->resp_list; while(resp != NULL) { - resp_c++; - resp_size += resp->len; + if (!resp->do_not_send_to_client) { + resp_c++; + resp_size += resp->len; + } resp = resp->next; } @@ -487,12 +564,14 @@ static void pam_reply(struct pam_auth_req *preq) resp = pd->resp_list; while(resp != NULL) { - memcpy(&body[p], &resp->type, sizeof(int32_t)); - p += sizeof(int32_t); - memcpy(&body[p], &resp->len, sizeof(int32_t)); - p += sizeof(int32_t); - memcpy(&body[p], resp->data, resp->len); - p += resp->len; + if (!resp->do_not_send_to_client) { + memcpy(&body[p], &resp->type, sizeof(int32_t)); + p += sizeof(int32_t); + memcpy(&body[p], &resp->len, sizeof(int32_t)); + p += sizeof(int32_t); + memcpy(&body[p], resp->data, resp->len); + p += resp->len; + } resp = resp->next; } |