The plugin carries out separate checks on authorisation and account validity, but only prints a single "user X failed to authenticate" message, even if the PAM authenticate tests pass, but the PAM account check fails.
Also log common name as well as user name. Signed-off-by: Tim Small <t...@seoss.co.uk> --- src/plugins/auth-pam/auth-pam.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index bd71792..fd46b99 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -668,16 +668,22 @@ pam_auth (const char *service, const struct user_pass *up) /* Call PAM to verify username/password */ status = pam_authenticate(pamh, 0); if (status == PAM_SUCCESS) - status = pam_acct_mgmt (pamh, 0); - if (status == PAM_SUCCESS) - ret = 1; - - /* Output error message if failed */ - if (!ret) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n", - up->username, - pam_strerror (pamh, status)); + { + status = pam_acct_mgmt (pamh, 0); + if (status == PAM_SUCCESS) + ret = 1; /* Passed pam authenticate and account management steps */ + else + fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' " + "passed pam credential authentication, but failed account validation: %s\n" + "... check system auth log for details?\n" , + up->username, up->common_name, pam_strerror (pamh, status)); + } + else + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' " + "failed to authenticate: %s\n" + "... check system auth log for details?\n" , + up->username, up->common_name, pam_strerror (pamh, status)); } /* Close PAM */ @@ -756,10 +762,11 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list if (DEBUG (verb)) { #if 0 - fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", - up.username, up.password); + fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/COMMON_NAME/PASS: %s/%s/%s\n", + up.username, up.common_name, up.password); #else - fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); + fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/COMMON_NAME: %s/%s\n", + up.username, up.common_name); #endif } -- 2.1.4