[Openvpn-devel] [PATCH v2 1/6] Separate error logging for pam auth and account

Mon, 13 Jul 2015 15:58:33 +0000 

The plugin carries out separate checks on authorisation and account
validity, but only prints a single "user X failed to authenticate"
message, even if the PAM authenticate tests pass, but the PAM account
check fails.

Print separate error messages if failure occurs in either step.

Signed-off-by: Tim Small <t...@seoss.co.uk>
---
 src/plugins/auth-pam/auth-pam.c | 42 ++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index bd71792..1fa73c1 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -655,7 +655,7 @@ pam_auth (const char *service, const struct user_pass *up)
 {
   struct pam_conv conv;
   pam_handle_t *pamh = NULL;
-  int status = PAM_SUCCESS;
+  int status;
   int ret = 0;
   const int name_value_list_provided = (up->name_value_list && 
up->name_value_list->len > 0);

@@ -663,23 +663,35 @@ pam_auth (const char *service, const struct user_pass *up)
   conv.conv = my_conv;
   conv.appdata_ptr = (void *)up;
   status = pam_start (service, name_value_list_provided ? NULL : up->username, 
&conv, &pamh);
-  if (status == PAM_SUCCESS)
+  if (status != PAM_SUCCESS)
     {
-      /* Call PAM to verify username/password */
+      fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' "
+          "call to pam_start() didn't return PAM_SUCCESS\n",
+          up->username, up->common_name);
+    }
+  else
+    {
+      /* Call PAM to authenticate the username */
       status = pam_authenticate(pamh, 0);
-      if (status == PAM_SUCCESS)
-       status = pam_acct_mgmt (pamh, 0);
-      if (status == PAM_SUCCESS)
-       ret = 1;
-
-      /* Output error message if failed */
-      if (!ret)
-       {
-         fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to 
authenticate: %s\n",
-                  up->username,
-                  pam_strerror (pamh, status));
+      if (status != PAM_SUCCESS)
+        {
+          fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname '%s' "
+                   "failed to authenticate: %s\n"
+                   "... check system auth log for details.\n",
+                   up->username, up->common_name, pam_strerror (pamh, status));
        }
-
+      else
+        {
+          /* Call PAM to check user's account is valid */
+          status = pam_acct_mgmt (pamh, 0);
+          if (status != PAM_SUCCESS)
+            fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' / commonname 
'%s' "
+                     "passed pam credential authentication, but failed account 
validation: %s\n"
+                     "... check system auth log for details.\n",
+                     up->username, up->common_name, pam_strerror (pamh, 
status));
+          else
+            ret = 1; /* Passed pam authenticate and account management steps */
+        }
       /* Close PAM */
       pam_end (pamh, status);      
     }
-- 
2.1.4

Reply via email to