From 265d8a5b9d5df51af0e5b0b62b0d390ec04872ae Mon Sep 17 00:00:00 2001
From: Sebastien Tricaud <toady@gscore.org>
Date: Sun, 16 Jan 2005 22:12:24 +0000
Subject: Audit option added

---
 CHANGELOG                     |  1 +
 doc/modules/pam_tally.sgml    |  5 +++++
 modules/pam_tally/README      |  1 +
 modules/pam_tally/pam_tally.c | 19 +++++++++++++------
 4 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f3136f04..de3bbfde 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -62,6 +62,7 @@ BerliOS Bugs are marked with (BerliOS #XXXX).
 
 0.79: please submit patches for this section with actual code/doc
       patches!
+* pam_tally: added audit option (toady)
 * pam_unix: don't log user unknown failure when he can be properly
   authenticated by another module (t8m)
 * configure: don't abort if no cracklib dictinaries were found, but
diff --git a/doc/modules/pam_tally.sgml b/doc/modules/pam_tally.sgml
index 44c6f4ed..afff25ca 100644
--- a/doc/modules/pam_tally.sgml
+++ b/doc/modules/pam_tally.sgml
@@ -73,6 +73,11 @@ of usernames would be much more flexible
 <item> <tt>file=</tt><em>/where/to/keep/counts</em>:
    specify the file location for the counts.
    The default location is <tt>/var/log/faillog</tt>.
+<item> <tt>audit</tt>:
+   display the username typed if the user is not found. It may be 
+   useful for scripts, but you should know users often type their
+   password instead making your system weaker. Activate it only if you
+   know what you are doing.
 </itemize>
 
 <sect2>Authentication component
diff --git a/modules/pam_tally/README b/modules/pam_tally/README
index 6c7d87f4..c8b715bd 100644
--- a/modules/pam_tally/README
+++ b/modules/pam_tally/README
@@ -9,6 +9,7 @@ SUMMARY:
                 * onerr=[succeed|fail] (if something weird happens
                         such as unable to open the file, what to do?)
                 * file=/where/to/keep/counts (default /var/log/faillog)
+		* audit (will display the username typed if the user is not found)
 
         (auth)
             Authentication phase first checks if user should be denied access
diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c
index 134f7f32..637f6172 100644
--- a/modules/pam_tally/pam_tally.c
+++ b/modules/pam_tally/pam_tally.c
@@ -11,6 +11,7 @@
  * Stuff stolen from pam_rootok and pam_listfile
  *
  * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005
+ * Audit option added for Tomas patch by Sebastien Tricaud <toady@gscore.org> 13 January 2005
  */
 
 #include <security/_pam_aconf.h>
@@ -94,6 +95,7 @@ struct tally_options {
 #define OPT_PER_USER			 010
 #define	OPT_NO_LOCK_TIME		 020
 #define OPT_NO_RESET			 040
+#define OPT_AUDIT                        100
 
 
 /*---------------------------------------------------------------------*/
@@ -193,6 +195,9 @@ static int tally_parse_args( struct tally_options *opts, int phase,
       else if ( ! strcmp( *argv, "no_reset" ) ) {
         opts->ctrl |= OPT_NO_RESET;
       }
+      else if ( ! strcmp ( *argv, "audit") ) {
+	opts->ctrl |= OPT_AUDIT;
+      }
       else {
         _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv);
       }
@@ -210,7 +215,7 @@ static int tally_parse_args( struct tally_options *opts, int phase,
 static char *cline_user=0;  /* cline_user is used in the administration prog */
 #endif
 
-static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp ) 
+static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) 
   {
     const char *user = NULL;
     struct passwd *pw;
@@ -227,7 +232,9 @@ static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp )
     }
 
     if ( ! ( pw = _pammodutil_getpwnam( pamh, user ) ) ) {
-      _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user);
+      opts->ctrl & OPT_AUDIT ? 
+	      _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user) : 
+	      _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; user unknown");
       return PAM_USER_UNKNOWN;
     }
     
@@ -589,7 +596,7 @@ PAM_FUNCTION( pam_sm_authenticate ) {
   if ( rvcheck != PAM_SUCCESS )
       RETURN_ERROR( rvcheck );
           
-  rvcheck = pam_get_uid(pamh, &uid, &user);
+  rvcheck = pam_get_uid(pamh, &uid, &user, opts);
   if ( rvcheck != PAM_SUCCESS )
       RETURN_ERROR( rvcheck );
       
@@ -617,7 +624,7 @@ PAM_FUNCTION( pam_sm_setcred ) {
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
-  rv = pam_get_uid(pamh, &uid, &user);
+  rv = pam_get_uid(pamh, &uid, &user, opts);
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
       
@@ -656,7 +663,7 @@ PAM_FUNCTION( pam_sm_acct_mgmt ) {
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
-  rv = pam_get_uid(pamh, &uid, &user);
+  rv = pam_get_uid(pamh, &uid, &user, opts);
   if ( rv != PAM_SUCCESS )
       RETURN_ERROR( rv );
 
@@ -763,7 +770,7 @@ int main ( int argc, char **argv ) {
     uid_t uid;
     tally_t tally=cline_reset;
     FILE *TALLY=0;
-    int i=pam_get_uid( NULL, &uid, NULL);
+    int i=pam_get_uid( NULL, &uid, NULL, NULL);
     if ( i != PAM_SUCCESS ) { 
       fprintf(stderr,"%s: %s\n",*argv,pam_errors(i));
       exit(0);
-- 
cgit v1.2.3