summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2010-10-27 13:34:54 +0200
committerStephen Gallagher <sgallagh@redhat.com>2010-11-15 15:37:30 -0500
commit9468a58f9bd191ef80c114943a288037c635a835 (patch)
tree61d7209ebaea50aadc1b90ad7880a83579d6d254 /src
parent4b498111c49b254e9aa5e2b0d4fcc1ba24a04236 (diff)
downloadsssd-9468a58f9bd191ef80c114943a288037c635a835.tar.gz
sssd-9468a58f9bd191ef80c114943a288037c635a835.tar.bz2
sssd-9468a58f9bd191ef80c114943a288037c635a835.zip
Introduce pam_verbosity config option
Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.
Diffstat (limited to 'src')
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml31
-rw-r--r--src/providers/data_provider.h1
-rw-r--r--src/providers/dp_pam_data_util.c1
-rw-r--r--src/responder/pam/pamsrv_cmd.c101
7 files changed, 126 insertions, 11 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5726ad5d..eccb98d3 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -80,6 +80,7 @@
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0
#define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
+#define CONFDB_PAM_VERBOSITY "pam_verbosity"
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d27d2f8a..1f54b475 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -63,6 +63,7 @@ option_strings = {
'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
+ 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ca85ed70..3bd0cc49 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -33,6 +33,7 @@ pwfield = str, None, false
offline_credentials_expiration = int, None, false
offline_failed_login_attempts = int, None, false
offline_failed_login_delay = int, None, false
+pam_verbosity = int, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 60ba169b..2bba3805 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -409,6 +409,37 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>pam_verbosity (integer)</term>
+ <listitem>
+ <para>
+ Controls what kind of messages are shown to the user
+ during authentication. The higher the number to more
+ messages are displayed.
+ </para>
+ <para>
+ Currently sssd supports the following values:
+ </para>
+ <para>
+ <emphasis>0</emphasis>: do not show any message
+ </para>
+ <para>
+ <emphasis>1</emphasis>: show only important
+ messages
+ </para>
+ <para>
+ <emphasis>2</emphasis>: show informational messages
+ </para>
+ <para>
+ <emphasis>3</emphasis>: show all messages and debug
+ information
+ </para>
+ <para>
+ Default: 1
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 062c36e3..819a2d77 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -159,6 +159,7 @@ struct response_data {
int32_t type;
int32_t len;
uint8_t *data;
+ bool do_not_send_to_client;
struct response_data *next;
};
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index d709447d..5c06a81b 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -163,6 +163,7 @@ int pam_add_response(struct pam_data *pd, enum response_type type,
new->len = len;
new->data = talloc_memdup(pd, data, len);
if (new->data == NULL) return ENOMEM;
+ new->do_not_send_to_client = false;
new->next = pd->resp_list;
pd->resp_list = new;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1ba6f17f..25031e19 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -31,6 +31,15 @@
#include "responder/pam/pamsrv.h"
#include "db/sysdb.h"
+enum pam_verbosity {
+ PAM_VERBOSITY_NO_MESSAGES = 0,
+ PAM_VERBOSITY_IMPORTANT,
+ PAM_VERBOSITY_INFO,
+ PAM_VERBOSITY_DEBUG
+};
+
+#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+
static void pam_reply(struct pam_auth_req *preq);
static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) {
@@ -319,6 +328,59 @@ fail:
return ret;
}
+static errno_t filter_responses(struct response_data *resp_list,
+ int pam_verbosity)
+{
+ struct response_data *resp;
+ uint32_t user_info_type;
+ int64_t expire_date;
+
+ resp = resp_list;
+
+ while(resp != NULL) {
+ if (resp->type == SSS_PAM_USER_INFO) {
+ if (resp->len < sizeof(uint32_t)) {
+ DEBUG(1, ("User info entry is too short.\n"));
+ return EINVAL;
+ }
+
+ if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) {
+ resp->do_not_send_to_client = true;
+ resp = resp->next;
+ continue;
+ }
+
+ memcpy(&user_info_type, resp->data, sizeof(uint32_t));
+
+ resp->do_not_send_to_client = false;
+ switch (user_info_type) {
+ case SSS_PAM_USER_INFO_OFFLINE_AUTH:
+ if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) {
+ DEBUG(1, ("User info offline auth entry is "
+ "too short.\n"));
+ return EINVAL;
+ }
+ memcpy(&expire_date, resp->data + sizeof(uint32_t),
+ sizeof(int64_t));
+ if ((expire_date == 0 &&
+ pam_verbosity < PAM_VERBOSITY_INFO) ||
+ (expire_date > 0 &&
+ pam_verbosity < PAM_VERBOSITY_IMPORTANT)) {
+ resp->do_not_send_to_client = true;
+ }
+
+ break;
+ default:
+ DEBUG(7, ("User info type [%d] not filtered.\n"));
+ }
+ }
+
+ resp = resp->next;
+ }
+
+ return EOK;
+}
+
static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
struct timeval tv, void *pvt)
{
@@ -352,9 +414,12 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
+ int pam_verbosity = 0;
pd = preq->pd;
cctx = preq->cctx;
+ pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
DEBUG(4, ("pam_reply get called.\n"));
@@ -376,9 +441,6 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx,
- struct pam_ctx);
-
ret = sysdb_cache_auth(preq, sysdb,
preq->domain, pd->user,
pd->authtok, pd->authtok_size,
@@ -453,6 +515,19 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
+ ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+ pam_verbosity = 0;
+ }
+
+ ret = filter_responses(pd->resp_list, pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("filter_responses failed, not fatal.\n"));
+ }
+
if (pd->domain != NULL) {
pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1,
(uint8_t *) pd->domain);
@@ -462,8 +537,10 @@ static void pam_reply(struct pam_auth_req *preq)
resp_size = 0;
resp = pd->resp_list;
while(resp != NULL) {
- resp_c++;
- resp_size += resp->len;
+ if (!resp->do_not_send_to_client) {
+ resp_c++;
+ resp_size += resp->len;
+ }
resp = resp->next;
}
@@ -487,12 +564,14 @@ static void pam_reply(struct pam_auth_req *preq)
resp = pd->resp_list;
while(resp != NULL) {
- memcpy(&body[p], &resp->type, sizeof(int32_t));
- p += sizeof(int32_t);
- memcpy(&body[p], &resp->len, sizeof(int32_t));
- p += sizeof(int32_t);
- memcpy(&body[p], resp->data, resp->len);
- p += resp->len;
+ if (!resp->do_not_send_to_client) {
+ memcpy(&body[p], &resp->type, sizeof(int32_t));
+ p += sizeof(int32_t);
+ memcpy(&body[p], &resp->len, sizeof(int32_t));
+ p += sizeof(int32_t);
+ memcpy(&body[p], resp->data, resp->len);
+ p += resp->len;
+ }
resp = resp->next;
}