summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/confdb/confdb.h1
-rw-r--r--src/config/SSSDConfig.py1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/man/sssd.conf.5.xml31
-rw-r--r--src/providers/data_provider.h1
-rw-r--r--src/providers/dp_pam_data_util.c1
-rw-r--r--src/responder/pam/pamsrv_cmd.c101
7 files changed, 126 insertions, 11 deletions
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5726ad5d..eccb98d3 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -80,6 +80,7 @@
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0
#define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
+#define CONFDB_PAM_VERBOSITY "pam_verbosity"
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d27d2f8a..1f54b475 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -63,6 +63,7 @@ option_strings = {
'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
+ 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ca85ed70..3bd0cc49 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -33,6 +33,7 @@ pwfield = str, None, false
offline_credentials_expiration = int, None, false
offline_failed_login_attempts = int, None, false
offline_failed_login_delay = int, None, false
+pam_verbosity = int, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 60ba169b..2bba3805 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -409,6 +409,37 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>pam_verbosity (integer)</term>
+ <listitem>
+ <para>
+ Controls what kind of messages are shown to the user
+ during authentication. The higher the number to more
+ messages are displayed.
+ </para>
+ <para>
+ Currently sssd supports the following values:
+ </para>
+ <para>
+ <emphasis>0</emphasis>: do not show any message
+ </para>
+ <para>
+ <emphasis>1</emphasis>: show only important
+ messages
+ </para>
+ <para>
+ <emphasis>2</emphasis>: show informational messages
+ </para>
+ <para>
+ <emphasis>3</emphasis>: show all messages and debug
+ information
+ </para>
+ <para>
+ Default: 1
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 062c36e3..819a2d77 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -159,6 +159,7 @@ struct response_data {
int32_t type;
int32_t len;
uint8_t *data;
+ bool do_not_send_to_client;
struct response_data *next;
};
diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
index d709447d..5c06a81b 100644
--- a/src/providers/dp_pam_data_util.c
+++ b/src/providers/dp_pam_data_util.c
@@ -163,6 +163,7 @@ int pam_add_response(struct pam_data *pd, enum response_type type,
new->len = len;
new->data = talloc_memdup(pd, data, len);
if (new->data == NULL) return ENOMEM;
+ new->do_not_send_to_client = false;
new->next = pd->resp_list;
pd->resp_list = new;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1ba6f17f..25031e19 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -31,6 +31,15 @@
#include "responder/pam/pamsrv.h"
#include "db/sysdb.h"
+enum pam_verbosity {
+ PAM_VERBOSITY_NO_MESSAGES = 0,
+ PAM_VERBOSITY_IMPORTANT,
+ PAM_VERBOSITY_INFO,
+ PAM_VERBOSITY_DEBUG
+};
+
+#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+
static void pam_reply(struct pam_auth_req *preq);
static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) {
@@ -319,6 +328,59 @@ fail:
return ret;
}
+static errno_t filter_responses(struct response_data *resp_list,
+ int pam_verbosity)
+{
+ struct response_data *resp;
+ uint32_t user_info_type;
+ int64_t expire_date;
+
+ resp = resp_list;
+
+ while(resp != NULL) {
+ if (resp->type == SSS_PAM_USER_INFO) {
+ if (resp->len < sizeof(uint32_t)) {
+ DEBUG(1, ("User info entry is too short.\n"));
+ return EINVAL;
+ }
+
+ if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) {
+ resp->do_not_send_to_client = true;
+ resp = resp->next;
+ continue;
+ }
+
+ memcpy(&user_info_type, resp->data, sizeof(uint32_t));
+
+ resp->do_not_send_to_client = false;
+ switch (user_info_type) {
+ case SSS_PAM_USER_INFO_OFFLINE_AUTH:
+ if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) {
+ DEBUG(1, ("User info offline auth entry is "
+ "too short.\n"));
+ return EINVAL;
+ }
+ memcpy(&expire_date, resp->data + sizeof(uint32_t),
+ sizeof(int64_t));
+ if ((expire_date == 0 &&
+ pam_verbosity < PAM_VERBOSITY_INFO) ||
+ (expire_date > 0 &&
+ pam_verbosity < PAM_VERBOSITY_IMPORTANT)) {
+ resp->do_not_send_to_client = true;
+ }
+
+ break;
+ default:
+ DEBUG(7, ("User info type [%d] not filtered.\n"));
+ }
+ }
+
+ resp = resp->next;
+ }
+
+ return EOK;
+}
+
static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
struct timeval tv, void *pvt)
{
@@ -352,9 +414,12 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
+ int pam_verbosity = 0;
pd = preq->pd;
cctx = preq->cctx;
+ pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
DEBUG(4, ("pam_reply get called.\n"));
@@ -376,9 +441,6 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx,
- struct pam_ctx);
-
ret = sysdb_cache_auth(preq, sysdb,
preq->domain, pd->user,
pd->authtok, pd->authtok_size,
@@ -453,6 +515,19 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
+ ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+ pam_verbosity = 0;
+ }
+
+ ret = filter_responses(pd->resp_list, pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("filter_responses failed, not fatal.\n"));
+ }
+
if (pd->domain != NULL) {
pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1,
(uint8_t *) pd->domain);
@@ -462,8 +537,10 @@ static void pam_reply(struct pam_auth_req *preq)
resp_size = 0;
resp = pd->resp_list;
while(resp != NULL) {
- resp_c++;
- resp_size += resp->len;
+ if (!resp->do_not_send_to_client) {
+ resp_c++;
+ resp_size += resp->len;
+ }
resp = resp->next;
}
@@ -487,12 +564,14 @@ static void pam_reply(struct pam_auth_req *preq)
resp = pd->resp_list;
while(resp != NULL) {
- memcpy(&body[p], &resp->type, sizeof(int32_t));
- p += sizeof(int32_t);
- memcpy(&body[p], &resp->len, sizeof(int32_t));
- p += sizeof(int32_t);
- memcpy(&body[p], resp->data, resp->len);
- p += resp->len;
+ if (!resp->do_not_send_to_client) {
+ memcpy(&body[p], &resp->type, sizeof(int32_t));
+ p += sizeof(int32_t);
+ memcpy(&body[p], &resp->len, sizeof(int32_t));
+ p += sizeof(int32_t);
+ memcpy(&body[p], resp->data, resp->len);
+ p += resp->len;
+ }
resp = resp->next;
}