Relevant BUGIDs:

Purpose of commit: new feature Commit summary: --------------- 2008-07-09 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_tally/pam_tally.c: Add support for silent and no_log_info options. * modules/pam_tally/pam_tally.8.xml: Document silent and no_log_info options.
author: Thorsten Kukuk <kukuk@thkukuk.de> 2008-07-09 12:23:23 +0000
committer: Thorsten Kukuk <kukuk@thkukuk.de> 2008-07-09 12:23:23 +0000
commit: 72fae03ec85016c4c443eb1c0195ed54b4423544 (patch)
tree: cb905058a80076edd7daf022cd3e1fdb05f59860
parent: a56a27d91b53f6029760d6a0e38b44b46f086f87 (diff)
download: pam-72fae03ec85016c4c443eb1c0195ed54b4423544.tar.gz
pam-72fae03ec85016c4c443eb1c0195ed54b4423544.tar.bz2
pam-72fae03ec85016c4c443eb1c0195ed54b4423544.zip
4 files changed, 76 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index 3a443060..0540605e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2008-07-09  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* modules/pam_tally/pam_tally.c: Add support for silent and
+	no_log_info options.
+	* modules/pam_tally/pam_tally.8.xml: Document silent and
+	no_log_info options.
+
 2008-07-08  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* modules/pam_unix/passverify.c (verify_pwd_hash): Adjust debug
diff --git a/NEWS b/NEWS
index 682fd29f..e4e2b743 100644
--- a/NEWS
+++ b/NEWS
@@ -3,11 +3,13 @@ Linux-PAM NEWS -- history of user-visible changes.
 
 Release 1.0.90
 
-* Supply hostname of the machine to netgroup match call in pam_access.
+* Supply hostname of the machine to netgroup match call in pam_access
 * Make pam_namespace to work safe on child directories of parent directories
-  owned by users.
+  owned by users
 * Redifine LOCAL keyword of pam_access configuration file
 * Add support fro try_first_pass and use_first_pass to pam_cracklib
+* Print informative messages for rejected login and add silent and
+  no_log_info options to pam_tally
 
 
 Release 1.0.1
diff --git a/modules/pam_tally/pam_tally.8.xml b/modules/pam_tally/pam_tally.8.xml
index 4f89269e..68b69a30 100644
--- a/modules/pam_tally/pam_tally.8.xml
+++ b/modules/pam_tally/pam_tally.8.xml
@@ -51,6 +51,12 @@
       <arg choice="opt">
         audit
       </arg>
+      <arg choice="opt">
+        silent
+      </arg>
+      <arg choice="opt">
+        no_log_info
+      </arg>
     </cmdsynopsis>
     <cmdsynopsis id="pam_tally-cmdsynopsis2">
       <command>pam_tally</command>
@@ -150,6 +156,26 @@
                 </para>
               </listitem>
             </varlistentry>
+            <varlistentry>
+              <term>
+                <option>silent</option>
+              </term>
+              <listitem>
+                <para>
+                  Don't print informative messages.
+                </para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>
+                <option>no_log_info</option>
+              </term>
+              <listitem>
+                <para>
+                  Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+                </para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c
index 8814659a..a01e1938 100644
--- a/modules/pam_tally/pam_tally.c
+++ b/modules/pam_tally/pam_tally.c
@@ -97,6 +97,8 @@ struct tally_options {
 #define	OPT_NO_LOCK_TIME		 020
 #define OPT_NO_RESET			 040
 #define OPT_AUDIT                       0100
+#define OPT_SILENT                      0200
+#define OPT_NOLOGNOTICE                 0400
 
 
 /*---------------------------------------------------------------------*/
@@ -205,6 +207,12 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts,
       else if ( ! strcmp ( *argv, "audit") ) {
 	opts->ctrl |= OPT_AUDIT;
       }
+      else if ( ! strcmp ( *argv, "silent") ) {
+	opts->ctrl |= OPT_SILENT;
+      }
+      else if ( ! strcmp ( *argv, "no_log_info") ) {
+	opts->ctrl |= OPT_NOLOGNOTICE;
+      }
       else {
         pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
       }
@@ -524,12 +532,17 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid,
       {
       	if ( lock_time + oldtime > time(NULL) )
       	{
-      		pam_syslog(pamh, LOG_NOTICE,
-			 "user %s (%lu) has time limit [%lds left]"
-			 " since last failure.",
-			 user, (unsigned long int) uid,
-			 oldtime+lock_time
-			 -time(NULL));
+	  if (!(opts->ctrl & OPT_SILENT))
+	       pam_info (pamh,
+			 _("Account temporary locked (%lds seconds left)"),
+			 oldtime+lock_time-time(NULL));
+
+	  if (!(opts->ctrl & OPT_NOLOGNOTICE))
+	       pam_syslog (pamh, LOG_NOTICE,
+		 	   "user %s (%lu) has time limit [%lds left]"
+			   " since last failure.",
+			   user, (unsigned long int) uid,
+			   oldtime+lock_time-time(NULL));
       		return PAM_AUTH_ERR;
       	}
       }
@@ -545,9 +558,14 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid,
         ( tally > deny ) &&                  /* tally>deny means exceeded    */
         ( ((opts->ctrl & OPT_DENY_ROOT) || uid) )    /* even_deny stops uid check    */
         ) {
-        pam_syslog(pamh, LOG_NOTICE,
-		   "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT,
-		   user, (unsigned long int) uid, tally, deny);
+	if (!(opts->ctrl & OPT_SILENT))
+	  pam_info (pamh, _("Accounted locked due to "TALLY_FMT" failed login"),
+		    tally);
+
+	if (!(opts->ctrl & OPT_NOLOGNOTICE))
+	  pam_syslog(pamh, LOG_NOTICE,
+		     "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT,
+		     user, (unsigned long int) uid, tally, deny);
         return PAM_AUTH_ERR;                 /* Only unconditional failure   */
       }
     }
@@ -594,7 +612,7 @@ tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts)
 #ifdef PAM_SM_AUTH
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
 		    int argc, const char **argv)
 {
   int
@@ -612,6 +630,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
   if ( rvcheck != PAM_SUCCESS )
       RETURN_ERROR( rvcheck );
 
+  if (flags & PAM_SILENT)
+    opts->ctrl |= OPT_SILENT;
+
   rvcheck = pam_get_uid(pamh, &uid, &user, opts);
   if ( rvcheck != PAM_SUCCESS )
       RETURN_ERROR( rvcheck );
@@ -625,7 +646,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
 }
 
 PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_setcred(pam_handle_t *pamh, int flags,
 	       int argc, const char **argv)
 {
   int
@@ -643,6 +664,9 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
+  if (flags & PAM_SILENT)
+    opts->ctrl |= OPT_SILENT;
+
   rv = pam_get_uid(pamh, &uid, &user, opts);
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
@@ -667,7 +691,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
 /* To reset failcount of user on successfull login */
 
 PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
 		 int argc, const char **argv)
 {
   int
@@ -685,6 +709,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
+  if (flags & PAM_SILENT)
+    opts->ctrl |= OPT_SILENT;
+
   rv = pam_get_uid(pamh, &uid, &user, opts);
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
author	Thorsten Kukuk <kukuk@thkukuk.de>	2008-07-09 12:23:23 +0000
committer	Thorsten Kukuk <kukuk@thkukuk.de>	2008-07-09 12:23:23 +0000
commit	72fae03ec85016c4c443eb1c0195ed54b4423544 (patch)
tree	cb905058a80076edd7daf022cd3e1fdb05f59860
parent	a56a27d91b53f6029760d6a0e38b44b46f086f87 (diff)
download	pam-72fae03ec85016c4c443eb1c0195ed54b4423544.tar.gz pam-72fae03ec85016c4c443eb1c0195ed54b4423544.tar.bz2 pam-72fae03ec85016c4c443eb1c0195ed54b4423544.zip