PAM: new option pam_account_expired_message

This option sets string to be printed when authenticating using SSH
keys and account is expired.

Resolves:
https://fedorahosted.org/sssd/ticket/2050

Reviewed-by: Sumit Bose <sbose@redhat.com>

6 files changed, 35 insertions, 5 deletions

diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index b5c4999a3..19c564020 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -114,6 +114,7 @@
 #define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning"
 #define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
 #define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
+#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
 
 /* SUDO */
 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index aad0b2ce4..dbbffebf3 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -88,6 +88,7 @@ option_strings = {
     'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'),
     'pam_trusted_users' : _('List of trusted uids or user\'s name'),
     'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
+    'pam_account_expired_message' : _('Message printed when user account is expired.'),
 
     # [sudo]
     'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 3503635e0..4fa542704 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -58,6 +58,7 @@ pam_pwd_expiration_warning = int, None, false
 get_domains_timeout = int, None, false
 pam_trusted_users = str, None, false
 pam_public_domains = str, None, false
+pam_account_expired_message = str, None, false
 
 [sudo]
 # sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cf0821dfa..ca4e602d3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -933,6 +933,27 @@ fallback_homedir = /home/%u
                         </para>
                     </listitem>
                 </varlistentry>
+                <varlistentry>
+                    <term>pam_account_expired_message (string)</term>
+                    <listitem>
+                        <para>
+                           If user is authenticating using SSH keys and
+                           account is expired then by default
+                           'Permission denied' is output. This output will
+                           be changed to content of this variable if it is
+                           set.
+                        </para>
+                        <para>
+                            example:
+                            <programlisting>
+pam_account_expired_message = Account expired, please call help desk.
+                            </programlisting>
+                        </para>
+                        <para>
+                            Default: none
+                        </para>
+                    </listitem>
+                </varlistentry>
 
             </variablelist>
         </refsect2>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c874cae61..a9c1b49d7 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -74,13 +74,14 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
     return EOK;
 }
 
-static void inform_account_expired(struct pam_data* pd)
+static void inform_account_expired(struct pam_data* pd,
+                                   const char *pam_message)
 {
     size_t msg_len;
     uint8_t *msg;
     errno_t ret;
 
-    ret = pack_user_info_account_expired(pd, "", &msg_len, &msg);
+    ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "pack_user_info_account_expired failed.\n");
@@ -544,6 +545,7 @@ static void pam_reply(struct pam_auth_req *preq)
     uint32_t user_info_type;
     time_t exp_date = -1;
     time_t delay_until = -1;
+    char* pam_account_expired_message;
 
     pd = preq->pd;
     cctx = preq->cctx;
@@ -620,7 +622,7 @@ static void pam_reply(struct pam_auth_req *preq)
         ret = gettimeofday(&tv, NULL);
         if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE, "gettimeofday failed [%d][%s].\n",
-                      errno, strerror(errno));
+                  errno, strerror(errno));
             goto done;
         }
         tv.tv_sec += pd->response_delay;
@@ -659,7 +661,11 @@ static void pam_reply(struct pam_auth_req *preq)
 
     if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL &&
         strcasecmp(pd->service, "sshd") == 0) {
-        inform_account_expired(pd);
+        ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+                                CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
+                                &pam_account_expired_message);
+
+        inform_account_expired(pd, pam_account_expired_message);
     }
 
     ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59529796c..28a36d5af 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -60,7 +60,7 @@
 #define OPT_RETRY_KEY "retry="
 #define OPT_DOMAINS_KEY "domains="
 
-#define EXP_ACC_MSG _("Your account has expired. ")
+#define EXP_ACC_MSG _("Permission denied. ")
 #define SRV_MSG     _("Server message: ")
 
 struct pam_items {