The plugin carries out separate checks on authorisation and account validity, but only prints a single "user X failed to authenticate" message, even if the PAM authenticate tests pass, but the PAM account check fails.
Print separate error messages if failure occurs in either step. Signed-off-by: Tim Small <t...@seoss.co.uk> --- src/plugins/auth-pam/auth-pam.c | 42 ++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index bd71792..1fa73c1 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -655,7 +655,7 @@ pam_auth (const char *service, const struct user_pass *up) { struct pam_conv conv; pam_handle_t *pamh = NULL; - int status = PAM_SUCCESS; + int status; int ret = 0; const int name_value_list_provided = (up->name_value_list && up->name_value_list->len > 0); @@ -663,23 +663,35 @@ pam_auth (const char *service, const struct user_pass *up) conv.conv = my_conv; conv.appdata_ptr = (void *)up; status = pam_start (service, name_value_list_provided ? NULL : up->username, &conv, &pamh); - if (status == PAM_SUCCESS) + if (status != PAM_SUCCESS) { - /* Call PAM to verify username/password */ + fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' " + "call to pam_start() didn't return PAM_SUCCESS\n", + up->username, up->common_name); + } + else + { + /* Call PAM to authenticate the username */ status = pam_authenticate(pamh, 0); - if (status == PAM_SUCCESS) - status = pam_acct_mgmt (pamh, 0); - if (status == PAM_SUCCESS) - ret = 1; - - /* Output error message if failed */ - if (!ret) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n", - up->username, - pam_strerror (pamh, status)); + if (status != PAM_SUCCESS) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' " + "failed to authenticate: %s\n" + "... check system auth log for details.\n", + up->username, up->common_name, pam_strerror (pamh, status)); } - + else + { + /* Call PAM to check user's account is valid */ + status = pam_acct_mgmt (pamh, 0); + if (status != PAM_SUCCESS) + fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' " + "passed pam credential authentication, but failed account validation: %s\n" + "... check system auth log for details.\n", + up->username, up->common_name, pam_strerror (pamh, status)); + else + ret = 1; /* Passed pam authenticate and account management steps */ + } /* Close PAM */ pam_end (pamh, status); } -- 2.1.4