summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/man/pam_sss.8.xml11
-rw-r--r--src/sss_client/pam_sss.c30
2 files changed, 36 insertions, 5 deletions
diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml
index 40ccf289..aeffd722 100644
--- a/src/man/pam_sss.8.xml
+++ b/src/man/pam_sss.8.xml
@@ -23,6 +23,9 @@
<cmdsynopsis>
<command>pam_sss.so</command>
<arg choice='opt'>
+ <replaceable>quiet</replaceable>
+ </arg>
+ <arg choice='opt'>
<replaceable>forward_pass</replaceable>
</arg>
<arg choice='opt'>
@@ -49,6 +52,14 @@
<variablelist remap='IP'>
<varlistentry>
<term>
+ <option>quiet</option>
+ </term>
+ <listitem>
+ <para>Suppress log messages for unknown users.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>forward_pass</option>
</term>
<listitem>
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 81e88139..e6417016 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1065,7 +1065,7 @@ static void print_pam_items(struct pam_items *pi)
}
static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
- enum sss_cli_command task)
+ enum sss_cli_command task, bool quiet_mode)
{
int ret;
int errnop;
@@ -1120,17 +1120,27 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
pi->login_name, getuid(), (unsigned long) geteuid(),
pi->pam_tty, pi->pam_ruser, pi->pam_rhost, pi->pam_user);
if (pam_status != PAM_SUCCESS) {
+ /* don't log if quiet_mode is on and pam_status is
+ * User not known to the underlying authentication module
+ */
+ if (!quiet_mode || pam_status != 10) {
logger(pamh, LOG_NOTICE, "received for user %s: %d (%s)",
pi->pam_user, pam_status,
pam_strerror(pamh,pam_status));
+ }
}
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pam_status != PAM_SUCCESS) {
+ /* don't log if quiet_mode is on and pam_status is
+ * User not known to the underlying authentication module
+ */
+ if (!quiet_mode || pam_status != 10) {
logger(pamh, LOG_NOTICE,
"Authentication failed for user %s: %d (%s)",
pi->pam_user, pam_status,
pam_strerror(pamh,pam_status));
+ }
}
break;
case SSS_PAM_CHAUTHTOK:
@@ -1143,10 +1153,15 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
break;
case SSS_PAM_ACCT_MGMT:
if (pam_status != PAM_SUCCESS) {
+ /* don't log if quiet_mode is on and pam_status is
+ * User not known to the underlying authentication module
+ */
+ if (!quiet_mode || pam_status != 10) {
logger(pamh, LOG_NOTICE,
"Access denied for user %s: %d (%s)",
pi->pam_user, pam_status,
pam_strerror(pamh,pam_status));
+ }
}
break;
case SSS_PAM_SETCRED:
@@ -1232,10 +1247,12 @@ static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
}
static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
- uint32_t *flags, int *retries)
+ uint32_t *flags, int *retries, bool *quiet_mode)
{
char *ep;
+ *quiet_mode = false;
+
for (; argc-- > 0; ++argv) {
if (strcmp(*argv, "forward_pass") == 0) {
*flags |= FLAGS_FORWARD_PASS;
@@ -1265,6 +1282,8 @@ static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
*retries = 0;
}
}
+ } else if (strcmp(*argv, "quiet") == 0) {
+ *quiet_mode = true;
} else {
logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
}
@@ -1315,7 +1334,7 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
int ret;
int *exp_data = NULL;
pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data);
-
+
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
@@ -1390,13 +1409,14 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
uint32_t flags = 0;
int *exp_data;
bool retry = false;
+ bool quiet_mode = false;
int retries = 0;
bindtextdomain(PACKAGE, LOCALEDIR);
D(("Hello pam_sssd: %d", task));
- eval_argv(pamh, argc, argv, &flags, &retries);
+ eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode);
ret = get_pam_items(pamh, &pi);
if (ret != PAM_SUCCESS) {
@@ -1437,7 +1457,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
return PAM_SYSTEM_ERR;
}
- pam_status = send_and_receive(pamh, &pi, task);
+ pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
switch (task) {
case SSS_PAM_AUTHENTICATE: