From d46fc2f723d2bfe497b71db7c2b7991335c97f3d Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Mon, 19 Sep 2011 15:25:46 +0200 Subject: Added quiet option to pam_sss https://fedorahosted.org/sssd/ticket/894 --- src/man/pam_sss.8.xml | 11 +++++++++++ src/sss_client/pam_sss.c | 30 +++++++++++++++++++++++++----- 2 files changed, 36 insertions(+), 5 deletions(-) diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml index aed76e2f..40e70936 100644 --- a/src/man/pam_sss.8.xml +++ b/src/man/pam_sss.8.xml @@ -22,6 +22,9 @@ pam_sss.so + + quiet + forward_pass @@ -47,6 +50,14 @@ OPTIONS + + + + + + Suppress log messages for unknown users. + + diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 6155e49d..294797e4 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1069,7 +1069,7 @@ static void print_pam_items(struct pam_items *pi) } static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, - enum sss_cli_command task) + enum sss_cli_command task, bool quiet_mode) { int ret; int errnop; @@ -1124,17 +1124,27 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, pi->login_name, getuid(), (unsigned long) geteuid(), pi->pam_tty, pi->pam_ruser, pi->pam_rhost, pi->pam_user); if (pam_status != PAM_SUCCESS) { + /* don't log if quiet_mode is on and pam_status is + * User not known to the underlying authentication module + */ + if (!quiet_mode || pam_status != 10) { logger(pamh, LOG_NOTICE, "received for user %s: %d (%s)", pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); + } } break; case SSS_PAM_CHAUTHTOK_PRELIM: if (pam_status != PAM_SUCCESS) { + /* don't log if quiet_mode is on and pam_status is + * User not known to the underlying authentication module + */ + if (!quiet_mode || pam_status != 10) { logger(pamh, LOG_NOTICE, "Authentication failed for user %s: %d (%s)", pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); + } } break; case SSS_PAM_CHAUTHTOK: @@ -1147,10 +1157,15 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, break; case SSS_PAM_ACCT_MGMT: if (pam_status != PAM_SUCCESS) { + /* don't log if quiet_mode is on and pam_status is + * User not known to the underlying authentication module + */ + if (!quiet_mode || pam_status != 10) { logger(pamh, LOG_NOTICE, "Access denied for user %s: %d (%s)", pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); + } } break; case SSS_PAM_SETCRED: @@ -1236,10 +1251,12 @@ static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi) } static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, - uint32_t *flags, int *retries) + uint32_t *flags, int *retries, bool *quiet_mode) { char *ep; + *quiet_mode = false; + for (; argc-- > 0; ++argv) { if (strcmp(*argv, "forward_pass") == 0) { *flags |= FLAGS_FORWARD_PASS; @@ -1269,6 +1286,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, *retries = 0; } } + } else if (strcmp(*argv, "quiet") == 0) { + *quiet_mode = true; } else { logger(pamh, LOG_WARNING, "unknown option: %s", *argv); } @@ -1319,7 +1338,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh, int ret; int *exp_data = NULL; pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data); - + /* we query for the old password during PAM_PRELIM_CHECK to make * pam_sss work e.g. with pam_cracklib */ if (pam_flags & PAM_PRELIM_CHECK) { @@ -1394,13 +1413,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, uint32_t flags = 0; int *exp_data; bool retry = false; + bool quiet_mode = false; int retries = 0; bindtextdomain(PACKAGE, LOCALEDIR); D(("Hello pam_sssd: %d", task)); - eval_argv(pamh, argc, argv, &flags, &retries); + eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode); ret = get_pam_items(pamh, &pi); if (ret != PAM_SUCCESS) { @@ -1441,7 +1461,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, return PAM_SYSTEM_ERR; } - pam_status = send_and_receive(pamh, &pi, task); + pam_status = send_and_receive(pamh, &pi, task, quiet_mode); switch (task) { case SSS_PAM_AUTHENTICATE: -- cgit