summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2000-12-20 05:15:05 +0000
committerSteve Langasek <vorlon@debian.org>2000-12-20 05:15:05 +0000
commit38da6ae394a4b2f18e210369562928dc0e404f54 (patch)
treed5ee266e4c99c2a950ec6ad7fabc016c140a66c0
parente23b51cda072fbd6fc65f5ff43d196eeea28cac5 (diff)
Relevant BUGIDs: 126431, 126423
Purpose of commit: new feature / bugfix Commit summary: --------------- This changes the format of pam_unix log messages, per bug 126423. The change is extensive (every call to _log_err() now has an additional argument) but straightforward. These changes to the logging code incidentally fix the problem reported in bug 126431.
-rw-r--r--CHANGELOG3
-rw-r--r--modules/pam_unix/pam_unix_acct.c16
-rw-r--r--modules/pam_unix/pam_unix_auth.c8
-rw-r--r--modules/pam_unix/pam_unix_passwd.c58
-rw-r--r--modules/pam_unix/pam_unix_sess.c24
-rw-r--r--modules/pam_unix/support.c66
-rw-r--r--modules/pam_unix/support.h5
7 files changed, 110 insertions, 70 deletions
diff --git a/CHANGELOG b/CHANGELOG
index a353a5e1..214e09f6 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -35,6 +35,9 @@ Where you should replace XXXXX with a bug-id.
0.74: please submit patches for this section with actual code/doc
patches!
+* modify format of pam_unix log messages to include service name
+ (Bug 126423)
+* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon)
* changed format of pam_unix 'authentication failure' log messages to make
them clearer and more consistent (Bug 126036 - vorlon)
* improved portability of pam_unix by eliminating Linux-specific utmp
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 8aeb43f3..178b6037 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -78,12 +78,12 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
D(("called."));
- ctrl = _set_ctrl(flags, NULL, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
retval = pam_get_item(pamh, PAM_USER, (const void **) &uname);
D(("user = `%s'", uname));
if (retval != PAM_SUCCESS || uname == NULL) {
- _log_err(LOG_ALERT
+ _log_err(LOG_ALERT, pamh
,"could not identify user (from uid=%d)"
,getuid());
return PAM_USER_UNKNOWN;
@@ -91,7 +91,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
pwent = getpwnam(uname);
if (!pwent) {
- _log_err(LOG_ALERT
+ _log_err(LOG_ALERT, pamh
,"could not identify user (from getpwnam(%s))"
,uname);
return PAM_USER_UNKNOWN;
@@ -135,7 +135,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
D(("today is %d, last change %d", curdays, spent->sp_lstchg));
if ((curdays > spent->sp_expire) && (spent->sp_expire != -1)
&& (spent->sp_lstchg != 0)) {
- _log_err(LOG_NOTICE
+ _log_err(LOG_NOTICE, pamh
,"account %s has expired (account expired)"
,uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -146,7 +146,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
if ((curdays > (spent->sp_lstchg + spent->sp_max + spent->sp_inact))
&& (spent->sp_max != -1) && (spent->sp_inact != -1)
&& (spent->sp_lstchg != 0)) {
- _log_err(LOG_NOTICE
+ _log_err(LOG_NOTICE, pamh
,"account %s has expired (failed to change password)"
,uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -156,7 +156,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
}
D(("when was the last change"));
if (spent->sp_lstchg == 0) {
- _log_err(LOG_NOTICE
+ _log_err(LOG_NOTICE, pamh
,"expired password for user %s (root enforced)"
,uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -165,7 +165,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
return PAM_NEW_AUTHTOK_REQD;
}
if (((spent->sp_lstchg + spent->sp_max) < curdays) && (spent->sp_max != -1)) {
- _log_err(LOG_DEBUG
+ _log_err(LOG_DEBUG, pamh
,"expired password for user %s (password aged)"
,uname);
_make_remark(pamh, ctrl, PAM_ERROR_MSG,
@@ -176,7 +176,7 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags,
if ((curdays > (spent->sp_lstchg + spent->sp_max - spent->sp_warn))
&& (spent->sp_max != -1) && (spent->sp_warn != -1)) {
daysleft = (spent->sp_lstchg + spent->sp_max) - curdays;
- _log_err(LOG_DEBUG
+ _log_err(LOG_DEBUG, pamh
,"password for user %s will expire in %d days"
,uname, daysleft);
snprintf(buf, 80, "Warning: your password will expire in %d day%.2s",
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index bec9d99f..f08ea515 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -101,7 +101,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
D(("called."));
- ctrl = _set_ctrl(flags, NULL, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
/* Get a few bytes so we can pass our return value to
pam_sm_setcred(). */
@@ -118,7 +118,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
* alphanumeric character.
*/
if (name == NULL || !isalnum(*name)) {
- _log_err(LOG_ERR, "bad username [%s]", name);
+ _log_err(LOG_ERR, pamh, "bad username [%s]", name);
retval = PAM_USER_UNKNOWN;
AUTH_RETURN
}
@@ -150,7 +150,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
,_UNIX_AUTHTOK, &p);
if (retval != PAM_SUCCESS) {
if (retval != PAM_CONV_AGAIN) {
- _log_err(LOG_CRIT, "auth could not identify password for [%s]"
+ _log_err(LOG_CRIT, pamh, "auth could not identify password for [%s]"
,name);
} else {
D(("conversation function is not ready yet"));
@@ -194,7 +194,7 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags
only argument we need is UNIX_LIKE_AUTH: if it was set,
pam_get_data will succeed. If it wasn't, it will fail, and we
return PAM_SUCCESS. -SRL */
- ctrl = _set_ctrl(flags, NULL, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
retval = PAM_SUCCESS;
if (on(UNIX_LIKE_AUTH, ctrl)) {
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index e4998afd..5d8d2d7d 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -178,29 +178,31 @@ static char *crypt_md5_wrapper(const char *pass_new)
return x;
}
-static char *getNISserver(void)
+static char *getNISserver(pam_handle_t *pamh)
{
char *master;
char *domainname;
int port, err;
if ((err = yp_get_default_domain(&domainname)) != 0) {
- _log_err(LOG_WARNING, "can't get local yp domain: %s\n",
+ _log_err(LOG_WARNING, pamh, "can't get local yp domain: %s\n",
yperr_string(err));
return NULL;
}
if ((err = yp_master(domainname, "passwd.byname", &master)) != 0) {
- _log_err(LOG_WARNING, "can't find the master ypserver: %s\n",
+ _log_err(LOG_WARNING, pamh, "can't find the master ypserver: %s\n",
yperr_string(err));
return NULL;
}
port = getrpcport(master, YPPASSWDPROG, YPPASSWDPROC_UPDATE, IPPROTO_UDP);
if (port == 0) {
- _log_err(LOG_WARNING, "yppasswdd not running on NIS master host\n");
+ _log_err(LOG_WARNING, pamh,
+ "yppasswdd not running on NIS master host\n");
return NULL;
}
if (port >= IPPORT_RESERVED) {
- _log_err(LOG_WARNING, "yppasswd daemon running on illegal port.\n");
+ _log_err(LOG_WARNING, pamh,
+ "yppasswd daemon running on illegal port.\n");
return NULL;
}
return master;
@@ -424,8 +426,8 @@ static int _update_shadow(const char *forwho, char *towhat)
return retval;
}
-static int _do_setpass(const char *forwho, char *fromwhat, char *towhat,
- unsigned int ctrl, int remember)
+static int _do_setpass(pam_handle_t* pamh, const char *forwho, char *fromwhat,
+ char *towhat, unsigned int ctrl, int remember)
{
struct passwd *pwd = NULL;
int retval = 0;
@@ -448,7 +450,7 @@ static int _do_setpass(const char *forwho, char *fromwhat, char *towhat,
int err = 0;
/* Make RPC call to NIS server */
- if ((master = getNISserver()) == NULL)
+ if ((master = getNISserver(pamh)) == NULL)
return PAM_TRY_AGAIN;
/* Initialize password information */
@@ -595,7 +597,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
if (on(UNIX_DEBUG, ctrl)) {
- _log_err(LOG_DEBUG, "bad authentication token");
+ _log_err(LOG_DEBUG, pamh, "bad authentication token");
}
_make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
"No password supplied" : "Password unchanged");
@@ -609,7 +611,7 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh
retval = pam_get_item(pamh, PAM_USER, (const void **) &user);
if (retval != PAM_SUCCESS) {
if (on(UNIX_DEBUG, ctrl)) {
- _log_err(LOG_ERR, "Can not get username");
+ _log_err(LOG_ERR, pamh, "Can not get username");
return PAM_AUTHTOK_ERR;
}
}
@@ -669,7 +671,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
return PAM_AUTHTOK_LOCK_BUSY;
}
#endif
- ctrl = _set_ctrl(flags, &remember, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, &remember, argc, argv);
/*
* First get the name of a user
@@ -683,17 +685,19 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
* alphanumeric character.
*/
if (user == NULL || !isalnum(*user)) {
- _log_err(LOG_ERR, "bad username [%s]", user);
+ _log_err(LOG_ERR, pamh, "bad username [%s]", user);
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
return PAM_USER_UNKNOWN;
}
if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
- _log_err(LOG_DEBUG, "username [%s] obtained", user);
+ _log_err(LOG_DEBUG, pamh, "username [%s] obtained",
+ user);
} else {
if (on(UNIX_DEBUG, ctrl))
- _log_err(LOG_DEBUG, "password - could not identify user");
+ _log_err(LOG_DEBUG, pamh,
+ "password - could not identify user");
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
@@ -728,7 +732,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
#define greeting "Changing password for "
Announce = (char *) malloc(sizeof(greeting) + strlen(user));
if (Announce == NULL) {
- _log_err(LOG_CRIT, "password - out of memory");
+ _log_err(LOG_CRIT, pamh,
+ "password - out of memory");
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
@@ -749,7 +754,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
free(Announce);
if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE
+ _log_err(LOG_NOTICE, pamh
,"password - (old) token not obtained");
#ifdef USE_LCKPWDF
ulckpwdf();
@@ -776,7 +781,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
pass_old = NULL;
if (retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
+ _log_err(LOG_CRIT, pamh,
+ "failed to set PAM_OLDAUTHTOK");
}
retval = _unix_verify_shadow(user, ctrl);
if (retval == PAM_AUTHTOK_ERR) {
@@ -821,7 +827,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
D(("pass_old [%s]", pass_old));
if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "user not authenticated");
+ _log_err(LOG_NOTICE, pamh, "user not authenticated");
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
@@ -829,7 +835,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
}
retval = _unix_verify_shadow(user, ctrl);
if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "user not authenticated 2");
+ _log_err(LOG_NOTICE, pamh, "user not authenticated 2");
#ifdef USE_LCKPWDF
ulckpwdf();
#endif
@@ -859,7 +865,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
if (retval != PAM_SUCCESS) {
if (on(UNIX_DEBUG, ctrl)) {
- _log_err(LOG_ALERT
+ _log_err(LOG_ALERT, pamh
,"password - new password not obtained");
}
pass_old = NULL; /* tidy up */
@@ -883,7 +889,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
}
if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "new password not acceptable");
+ _log_err(LOG_NOTICE, pamh,
+ "new password not acceptable");
_pam_overwrite(pass_new);
_pam_overwrite(pass_old);
pass_new = pass_old = NULL; /* tidy up */
@@ -926,7 +933,8 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
char *e;
if (temp == NULL) {
- _log_err(LOG_CRIT, "out of memory for password");
+ _log_err(LOG_CRIT, pamh,
+ "out of memory for password");
_pam_overwrite(pass_new);
_pam_overwrite(pass_old);
pass_new = pass_old = NULL; /* tidy up */
@@ -960,13 +968,15 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
/* update the password database(s) -- race conditions..? */
- retval = _do_setpass(user, pass_old, tpass, ctrl, remember);
+ retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
+ remember);
_pam_overwrite(pass_new);
_pam_overwrite(pass_old);
_pam_delete(tpass);
pass_old = pass_new = NULL;
} else { /* something has broken with the module */
- _log_err(LOG_ALERT, "password received unknown request");
+ _log_err(LOG_ALERT, pamh,
+ "password received unknown request");
retval = PAM_ABORT;
}
diff --git a/modules/pam_unix/pam_unix_sess.c b/modules/pam_unix/pam_unix_sess.c
index e97bc1f0..faef3e42 100644
--- a/modules/pam_unix/pam_unix_sess.c
+++ b/modules/pam_unix/pam_unix_sess.c
@@ -74,21 +74,23 @@ PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
D(("called."));
- ctrl = _set_ctrl(flags, NULL, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
if (user_name == NULL || retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "open_session - error recovering username");
+ _log_err(LOG_CRIT, pamh,
+ "open_session - error recovering username");
return PAM_SESSION_ERR; /* How did we get authenticated with
no username?! */
}
retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
if (service == NULL || retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "open_session - error recovering service");
+ _log_err(LOG_CRIT, pamh,
+ "open_session - error recovering service");
return PAM_SESSION_ERR;
}
- _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)"
- ,service, user_name
+ _log_err(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)"
+ ,user_name
,PAM_getlogin() == NULL ? "" : PAM_getlogin(), getuid());
return PAM_SUCCESS;
@@ -103,21 +105,23 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags,
D(("called."));
- ctrl = _set_ctrl(flags, NULL, argc, argv);
+ ctrl = _set_ctrl(pamh, flags, NULL, argc, argv);
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
if (user_name == NULL || retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "close_session - error recovering username");
+ _log_err(LOG_CRIT, pamh,
+ "close_session - error recovering username");
return PAM_SESSION_ERR; /* How did we get authenticated with
no username?! */
}
retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
if (service == NULL || retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "close_session - error recovering service");
+ _log_err(LOG_CRIT, pamh,
+ "close_session - error recovering service");
return PAM_SESSION_ERR;
}
- _log_err(LOG_INFO, "(%s) session closed for user %s"
- ,service, user_name);
+ _log_err(LOG_INFO, pamh, "session closed for user %s"
+ ,user_name);
return PAM_SUCCESS;
}
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index ed64b344..87a5d938 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -27,12 +27,23 @@ extern char *bigcrypt(const char *key, const char *salt);
/* syslogging function for errors and other information */
-void _log_err(int err, const char *format,...)
+void _log_err(int err, pam_handle_t *pamh, const char *format,...)
{
+ char *service = NULL;
+ char logname[256];
va_list args;
+ pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
+ if (service) {
+ strncpy(logname, service, sizeof(logname));
+ logname[sizeof(logname) - 1 - strlen("(pam_unix)")] = '\0';
+ strncat(logname, "(pam_unix)", strlen("(pam_unix)"));
+ } else {
+ strncpy(logname, "pam_unix", sizeof(logname) - 1);
+ }
+
va_start(args, format);
- openlog("PAM_unix", LOG_CONS | LOG_PID, LOG_AUTH);
+ openlog(logname, LOG_CONS | LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
va_end(args);
closelog();
@@ -58,11 +69,12 @@ static int converse(pam_handle_t * pamh, int ctrl, int nargs
D(("returned from application's conversation function"));
if (retval != PAM_SUCCESS && on(UNIX_DEBUG, ctrl)) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
+ _log_err(LOG_DEBUG, pamh, "conversation failure [%s]"
,pam_strerror(pamh, retval));
}
} else if (retval != PAM_CONV_AGAIN) {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
+ _log_err(LOG_ERR, pamh
+ ,"couldn't obtain coversation function [%s]"
,pam_strerror(pamh, retval));
}
D(("ready to return from module conversation"));
@@ -126,7 +138,8 @@ char *PAM_getlogin(void)
* set the control flags for the UNIX module.
*/
-int _set_ctrl(int flags, int *remember, int argc, const char **argv)
+int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int argc,
+ const char **argv)
{
unsigned int ctrl;
@@ -171,7 +184,8 @@ int _set_ctrl(int flags, int *remember, int argc, const char **argv)
}
if (j >= UNIX_CTRLS_) {
- _log_err(LOG_ERR, "unrecognized option [%s]", *argv);
+ _log_err(LOG_ERR, pamh,
+ "unrecognized option [%s]", *argv);
} else {
ctrl &= unix_args[j].mask; /* for turning things off */
ctrl |= unix_args[j].flag; /* for turning things on */
@@ -259,22 +273,21 @@ static void _cleanup_failures(pam_handle_t * pamh, void *fl, int err)
(const void **)&rhost);
(void) pam_get_item(pamh, PAM_TTY,
(const void **)&tty);
- _log_err(LOG_NOTICE,
+ _log_err(LOG_NOTICE, pamh,
"%d more authentication failure%s; "
"logname=%s uid=%d euid=%d "
"tty=%s ruser=%s rhost=%s "
- "service=%s%s%s",
+ "%s%s",
failure->count - 1, failure->count == 2 ? "" : "s",
failure->name, failure->uid, failure->euid,
tty ? tty : "", ruser ? ruser : "",
rhost ? rhost : "",
- service ? service : "**unknown**",
(failure->user && failure->user[0] != '\0')
? " user=" : "", failure->user
);
if (failure->count > UNIX_MAX_RETRIES) {
- _log_err(LOG_ALERT
+ _log_err(LOG_ALERT, pamh
,"service(%s) ignoring max retries; %d > %d"
,service == NULL ? "**unknown**" : service
,failure->count
@@ -506,7 +519,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
data_name = (char *) malloc(sizeof(FAIL_PREFIX) + strlen(name));
if (data_name == NULL) {
- _log_err(LOG_CRIT, "no memory for data-name");
+ _log_err(LOG_CRIT, pamh, "no memory for data-name");
} else {
strcpy(data_name, FAIL_PREFIX);
strcpy(data_name + sizeof(FAIL_PREFIX) - 1, name);
@@ -518,15 +531,22 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
/* we are not root perhaps this is the reason? Run helper */
D(("running helper binary"));
retval = _unix_run_helper_binary(pamh, p, ctrl);
+ if (pwd == NULL && !on(UNIX_AUDIT,ctrl)
+ && retval != PAM_SUCCESS)
+ {
+ name = NULL;
+ }
} else {
D(("user's record unavailable"));
if (on(UNIX_AUDIT, ctrl)) {
/* this might be a typo and the user has given a password
instead of a username. Careful with this. */
- _log_err(LOG_ALERT, "check pass; user (%s) unknown", name);
+ _log_err(LOG_ALERT, pamh,
+ "check pass; user (%s) unknown", name);
} else {
name = NULL;
- _log_err(LOG_ALERT, "check pass; user unknown");
+ _log_err(LOG_ALERT, pamh,
+ "check pass; user unknown");
}
p = NULL;
retval = PAM_AUTHINFO_UNAVAIL;
@@ -608,16 +628,15 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
(void) pam_get_item(pamh, PAM_TTY,
(const void **)&tty);
- _log_err(LOG_NOTICE,
+ _log_err(LOG_NOTICE, pamh,
"authentication failure; "
"logname=%s uid=%d euid=%d "
"tty=%s ruser=%s rhost=%s "
- "service=%s%s%s",
+ "%s%s",
new->name, new->uid, new->euid,
tty ? tty : "",
ruser ? ruser : "",
rhost ? rhost : "",
- service ? service : "**unknown**",
(new->user && new->user[0] != '\0')
? " user=" : "",
new->user
@@ -628,7 +647,8 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
pam_set_data(pamh, data_name, new, _cleanup_failures);
} else {
- _log_err(LOG_CRIT, "no memory for failure recorder");
+ _log_err(LOG_CRIT, pamh,
+ "no memory for failure recorder");
}
}
}
@@ -684,7 +704,7 @@ int _unix_read_password(pam_handle_t * pamh
retval = pam_get_item(pamh, authtok_flag, (const void **) &item);
if (retval != PAM_SUCCESS) {
/* very strange. */
- _log_err(LOG_ALERT
+ _log_err(LOG_ALERT, pamh
,"pam_get_item returned error to unix-read-password"
);
return retval;
@@ -755,7 +775,7 @@ int _unix_read_password(pam_handle_t * pamh
}
}
} else {
- _log_err(LOG_NOTICE
+ _log_err(LOG_NOTICE, pamh
,"could not recover authentication token");
}
@@ -775,7 +795,8 @@ int _unix_read_password(pam_handle_t * pamh
if (retval != PAM_SUCCESS) {
if (on(UNIX_DEBUG, ctrl))
- _log_err(LOG_DEBUG, "unable to obtain a password");
+ _log_err(LOG_DEBUG, pamh,
+ "unable to obtain a password");
return retval;
}
/* 'token' is the entered password */
@@ -791,7 +812,7 @@ int _unix_read_password(pam_handle_t * pamh
,(const void **) &item))
!= PAM_SUCCESS) {
- _log_err(LOG_CRIT, "error manipulating password");
+ _log_err(LOG_CRIT, pamh, "error manipulating password");
return retval;
}
@@ -803,7 +824,8 @@ int _unix_read_password(pam_handle_t * pamh
retval = pam_set_data(pamh, data_name, (void *) token, _cleanup);
if (retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "error manipulating password data [%s]"
+ _log_err(LOG_CRIT, pamh
+ ,"error manipulating password data [%s]"
,pam_strerror(pamh, retval));
_pam_delete(token);
return retval;
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 419f5273..0b6b6e04 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -124,10 +124,11 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
}
extern char *PAM_getlogin(void);
-extern void _log_err(int err, const char *format,...);
+extern void _log_err(int err, pam_handle_t *pamh, const char *format,...);
extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
,int type, const char *text);
-extern int _set_ctrl(int flags, int *remember, int argc, const char **argv);
+extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int argc,
+ const char **argv);
extern int _unix_blankpasswd(unsigned int ctrl, const char *name);
extern int _unix_verify_password(pam_handle_t * pamh, const char *name
,const char *p, unsigned int ctrl);