[Openvpn-devel] [PATCH 1/4] Add explicit debug statements for pam auth and account steps.

Wed, 08 Jul 2015 22:18:26 +0000 

The plugin carries out separate checks on authorisation and account
validity, but only prints a single "user X failed to authenticate"
message, even if the PAM authenticate tests pass, but the PAM account
check fails.

Also log common name as well as user name.

Signed-off-by: Tim Small <t...@seoss.co.uk>
---
 src/plugins/auth-pam/auth-pam.c | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index bd71792..fd46b99 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -668,16 +668,22 @@ pam_auth (const char *service, const struct user_pass *up)
       /* Call PAM to verify username/password */
       status = pam_authenticate(pamh, 0);
       if (status == PAM_SUCCESS)
-       status = pam_acct_mgmt (pamh, 0);
-      if (status == PAM_SUCCESS)
-       ret = 1;
-
-      /* Output error message if failed */
-      if (!ret)
-       {
-         fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to 
authenticate: %s\n",
-                  up->username,
-                  pam_strerror (pamh, status));
+        {
+          status = pam_acct_mgmt (pamh, 0);
+          if (status == PAM_SUCCESS)
+            ret = 1; /* Passed pam authenticate and account management steps */
+         else
+            fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname 
'%s' "
+                     "passed pam credential authentication, but failed account 
validation: %s\n"
+                     "... check system auth log for details?\n" ,
+                     up->username, up->common_name, pam_strerror (pamh, 
status));
+        }
+      else
+        {
+          fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' "
+                   "failed to authenticate: %s\n"
+                  "... check system auth log for details?\n" ,
+                  up->username, up->common_name, pam_strerror (pamh, status));
        }

       /* Close PAM */
@@ -756,10 +762,11 @@ pam_server (int fd, const char *service, int verb, const 
struct name_value_list
          if (DEBUG (verb))
            {
 #if 0
-             fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
-                      up.username, up.password);
+             fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/COMMON_NAME/PASS: 
%s/%s/%s\n",
+                      up.username, up.common_name, up.password);
 #else
-             fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
+             fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/COMMON_NAME: 
%s/%s\n",
+                      up.username, up.common_name);
 #endif
            }

-- 
2.1.4

Reply via email to