On Thu, Nov 04, 2010 at 09:47:33AM -0400, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/27/2010 07:57 AM, Sumit Bose wrote:
> > Hi,
> >
> > this patch should fix ticket #604, but maybe we want to add some more
> > levels to pam_verbosity and also handle other messages with this patch.
> >
> > Currently I have two questions. First, is more granularity needed for
> > pam_verbosity or is it enough to switch between only important and all
> > messages? Second, if offline_credentials_expiration is set, the
> > 'Authenticated with cached credentials' messages is always display. Is
> > this acceptable or shall we introduce a threshold parameter here?
> >
>
> Nack.
>
> My original thought was that this should be based on severity level.
> pam_verbosity should be:
>
> 0: Do not print any messages at all.
> 1: Print only important messages
> 2: Print informational messages
> 3: Print low-level debug messages
>
>
> If we're at pam_verbosity = 1, then we should see the "Authenticated
> with cached credentials" with the expiration information. At level 0, it
> should be suppressed. At level 2, we should see it even when not using
> offline_credentials_expiration.
>
> Level 3 isn't used right now, but should be available for future use.
Thanks for the comments. I've added the two other levels and modified
the code accordingly. So far only SSS_PAM_USER_INFO_OFFLINE_AUTH is
handled and the level 0 which suppresses all messages.
While making the changes I realized that we do not want to use long long to send
the expiration time and the delay to the client but a more strict
defined type like int64_t. I've added the patch here and not as a
separate one, because the verbosity patch depends on it.
bye,
Sumit
>
> - --
> Stephen Gallagher
> RHCE 804006346421761
>
> Delivering value year after year.
> Red Hat ranks #1 in value among software vendors.
> http://www.redhat.com/promo/vendor/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkzSuXUACgkQeiVVYja6o6OGWwCfaVNB1eWSwfnj5omYzZJqTnam
> SFwAnA3w1bsZWpum+gfTVQwC8bKC44/5
> =QU/C
> -----END PGP SIGNATURE-----
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/sssd-devel
From a4cbb8f8cd490b70a61a0522046e07326bf11233 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Fri, 5 Nov 2010 14:57:13 +0100
Subject: [PATCH 1/2] Avoid long long in messages to PAM client use int64_t
---
src/responder/pam/pamsrv_cmd.c | 14 +++++++-------
src/sss_client/pam_sss.c | 12 ++++++------
src/sss_client/sss_cli.h | 6 +++---
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 7bfd0f2..1ba6f17 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -507,21 +507,21 @@ static void pam_cache_auth_done(struct pam_auth_req
*preq, int ret,
uint32_t resp_type;
size_t resp_len;
uint8_t *resp;
- long long dummy;
+ int64_t dummy;
switch (ret) {
case EOK:
preq->pd->pam_status = PAM_SUCCESS;
resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH;
- resp_len = sizeof(uint32_t) + sizeof(long long);
+ resp_len = sizeof(uint32_t) + sizeof(int64_t);
resp = talloc_size(preq->pd, resp_len);
if (resp == NULL) {
DEBUG(1, ("talloc_size failed, cannot prepare user info.\n"));
} else {
memcpy(resp, &resp_type, sizeof(uint32_t));
- dummy = (long long) expire_date;
- memcpy(resp+sizeof(uint32_t), &dummy, sizeof(long long));
+ dummy = (int64_t) expire_date;
+ memcpy(resp+sizeof(uint32_t), &dummy, sizeof(int64_t));
ret = pam_add_response(preq->pd, SSS_PAM_USER_INFO, resp_len,
(const uint8_t *) resp);
if (ret != EOK) {
@@ -539,14 +539,14 @@ static void pam_cache_auth_done(struct pam_auth_req
*preq, int ret,
preq->pd->pam_status = PAM_PERM_DENIED;
if (delayed_until >= 0) {
resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED;
- resp_len = sizeof(uint32_t) + sizeof(long long);
+ resp_len = sizeof(uint32_t) + sizeof(int64_t);
resp = talloc_size(preq->pd, resp_len);
if (resp == NULL) {
DEBUG(1, ("talloc_size failed, cannot prepare user
info.\n"));
} else {
memcpy(resp, &resp_type, sizeof(uint32_t));
- dummy = (long long) delayed_until;
- memcpy(resp+sizeof(uint32_t), &dummy, sizeof(long long));
+ dummy = (int64_t) delayed_until;
+ memcpy(resp+sizeof(uint32_t), &dummy, sizeof(int64_t));
ret = pam_add_response(preq->pd, SSS_PAM_USER_INFO,
resp_len,
(const uint8_t *) resp);
if (ret != EOK) {
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 644073f..f7876c2 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -567,19 +567,19 @@ static int user_info_offline_auth(pam_handle_t *pamh,
size_t buflen,
uint8_t *buf)
{
int ret;
- long long expire_date;
+ int64_t expire_date;
struct tm tm;
char expire_str[128];
char user_msg[256];
expire_str[0] = '\0';
- if (buflen != sizeof(uint32_t) + sizeof(long long)) {
+ if (buflen != sizeof(uint32_t) + sizeof(int64_t)) {
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
- memcpy(&expire_date, buf + sizeof(uint32_t), sizeof(long long));
+ memcpy(&expire_date, buf + sizeof(uint32_t), sizeof(int64_t));
if (expire_date > 0) {
if (localtime_r((time_t *) &expire_date, &tm) != NULL) {
@@ -690,19 +690,19 @@ static int user_info_offline_auth_delayed(pam_handle_t
*pamh, size_t buflen,
uint8_t *buf)
{
int ret;
- long long delayed_until;
+ int64_t delayed_until;
struct tm tm;
char delay_str[128];
char user_msg[256];
delay_str[0] = '\0';
- if (buflen != sizeof(uint32_t) + sizeof(long long)) {
+ if (buflen != sizeof(uint32_t) + sizeof(int64_t)) {
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
- memcpy(&delayed_until, buf + sizeof(uint32_t), sizeof(long long));
+ memcpy(&delayed_until, buf + sizeof(uint32_t), sizeof(int64_t));
if (delayed_until <= 0) {
D(("User info response data has an invalid value"));
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index fcea8e6..f8ccb4f 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -364,7 +364,7 @@ enum user_info_type {
* @param Time when the cached
* password will expire in seconds
* since the UNIX Epoch as returned
- * by time(2) as long long. A value
+ * by time(2) as int64_t. A value
* of zero indicates that the
* cached password will never
* expire. */
@@ -375,8 +375,8 @@ enum user_info_type {
* @param Time when an
* authentication is allowed again
* in seconds since the UNIX Epoch
- * as returned by time(2) as long
- * long. */
+ * as returned by time(2) as
+ * int64_t. */
SSS_PAM_USER_INFO_OFFLINE_CHPASS, /**< * Tell the user that it is not
* possible to change the password while
* the system is offline. This message
--
1.7.3.1
From 2efd108a573abff0470f1b2c8601b1ccc583d116 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 27 Oct 2010 13:34:54 +0200
Subject: [PATCH 2/2] Introduce pam_verbosity config option
Currently we display all PAM messages generated by sssd to the user. But
only some of them are important and others are just some useful
information.
This patch introduces a new option to the PAM responder which controls
what kind of messages are displayed. As an example the 'Authenticated
with cached credentials' message is used. This message is only displayed
if pam_verbosity=1 or if there is an expire date.
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig.py | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 31 ++++++++++++
src/providers/data_provider.h | 1 +
src/responder/pam/pamsrv_cmd.c | 101 +++++++++++++++++++++++++++++++++++----
6 files changed, 125 insertions(+), 11 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index 5726ad5..eccb98d 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -80,6 +80,7 @@
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0
#define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
+#define CONFDB_PAM_VERBOSITY "pam_verbosity"
/* Data Provider */
#define CONFDB_DP_CONF_ENTRY "config/dp"
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index d27d2f8..1f54b47 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -63,6 +63,7 @@ option_strings = {
'offline_credentials_expiration' : _('How long to allow cached logins
between online logins (days)'),
'offline_failed_login_attempts' : _('How many failed logins attempts are
allowed when offline'),
'offline_failed_login_delay' : _('How long (minutes) to deny login after
offline_failed_login_attempts has been reached'),
+ 'pam_verbosity' : _('What kind of messages are displayed to the user
during authentication'),
# [provider]
'id_provider' : _('Identity provider'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index ca85ed7..3bd0cc4 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -33,6 +33,7 @@ pwfield = str, None, false
offline_credentials_expiration = int, None, false
offline_failed_login_attempts = int, None, false
offline_failed_login_delay = int, None, false
+pam_verbosity = int, None, false
[provider]
#Available provider types
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 60ba169..2bba380 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -409,6 +409,37 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>pam_verbosity (integer)</term>
+ <listitem>
+ <para>
+ Controls what kind of messages are shown to the
user
+ during authentication. The higher the number to
more
+ messages are displayed.
+ </para>
+ <para>
+ Currently sssd supports the following values:
+ </para>
+ <para>
+ <emphasis>0</emphasis>: do not show any message
+ </para>
+ <para>
+ <emphasis>1</emphasis>: show only important
+ messages
+ </para>
+ <para>
+ <emphasis>2</emphasis>: show informational
messages
+ </para>
+ <para>
+ <emphasis>3</emphasis>: show all messages and
debug
+ information
+ </para>
+ <para>
+ Default: 1
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
</refsect1>
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 062c36e..819a2d7 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -159,6 +159,7 @@ struct response_data {
int32_t type;
int32_t len;
uint8_t *data;
+ bool do_not_send_to_client;
struct response_data *next;
};
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 1ba6f17..25031e1 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -31,6 +31,15 @@
#include "responder/pam/pamsrv.h"
#include "db/sysdb.h"
+enum pam_verbosity {
+ PAM_VERBOSITY_NO_MESSAGES = 0,
+ PAM_VERBOSITY_IMPORTANT,
+ PAM_VERBOSITY_INFO,
+ PAM_VERBOSITY_DEBUG
+};
+
+#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+
static void pam_reply(struct pam_auth_req *preq);
static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok,
uint8_t *body, size_t blen, size_t *c) {
@@ -319,6 +328,59 @@ fail:
return ret;
}
+static errno_t filter_responses(struct response_data *resp_list,
+ int pam_verbosity)
+{
+ struct response_data *resp;
+ uint32_t user_info_type;
+ int64_t expire_date;
+
+ resp = resp_list;
+
+ while(resp != NULL) {
+ if (resp->type == SSS_PAM_USER_INFO) {
+ if (resp->len < sizeof(uint32_t)) {
+ DEBUG(1, ("User info entry is too short.\n"));
+ return EINVAL;
+ }
+
+ if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) {
+ resp->do_not_send_to_client = true;
+ resp = resp->next;
+ continue;
+ }
+
+ memcpy(&user_info_type, resp->data, sizeof(uint32_t));
+
+ resp->do_not_send_to_client = false;
+ switch (user_info_type) {
+ case SSS_PAM_USER_INFO_OFFLINE_AUTH:
+ if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) {
+ DEBUG(1, ("User info offline auth entry is "
+ "too short.\n"));
+ return EINVAL;
+ }
+ memcpy(&expire_date, resp->data + sizeof(uint32_t),
+ sizeof(int64_t));
+ if ((expire_date == 0 &&
+ pam_verbosity < PAM_VERBOSITY_INFO) ||
+ (expire_date > 0 &&
+ pam_verbosity < PAM_VERBOSITY_IMPORTANT)) {
+ resp->do_not_send_to_client = true;
+ }
+
+ break;
+ default:
+ DEBUG(7, ("User info type [%d] not filtered.\n"));
+ }
+ }
+
+ resp = resp->next;
+ }
+
+ return EOK;
+}
+
static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
struct timeval tv, void *pvt)
{
@@ -352,9 +414,12 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
+ int pam_verbosity = 0;
pd = preq->pd;
cctx = preq->cctx;
+ pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
DEBUG(4, ("pam_reply get called.\n"));
@@ -376,9 +441,6 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx,
- struct pam_ctx);
-
ret = sysdb_cache_auth(preq, sysdb,
preq->domain, pd->user,
pd->authtok, pd->authtok_size,
@@ -453,6 +515,19 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
+ ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+ pam_verbosity = 0;
+ }
+
+ ret = filter_responses(pd->resp_list, pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(1, ("filter_responses failed, not fatal.\n"));
+ }
+
if (pd->domain != NULL) {
pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1,
(uint8_t *) pd->domain);
@@ -462,8 +537,10 @@ static void pam_reply(struct pam_auth_req *preq)
resp_size = 0;
resp = pd->resp_list;
while(resp != NULL) {
- resp_c++;
- resp_size += resp->len;
+ if (!resp->do_not_send_to_client) {
+ resp_c++;
+ resp_size += resp->len;
+ }
resp = resp->next;
}
@@ -487,12 +564,14 @@ static void pam_reply(struct pam_auth_req *preq)
resp = pd->resp_list;
while(resp != NULL) {
- memcpy(&body[p], &resp->type, sizeof(int32_t));
- p += sizeof(int32_t);
- memcpy(&body[p], &resp->len, sizeof(int32_t));
- p += sizeof(int32_t);
- memcpy(&body[p], resp->data, resp->len);
- p += resp->len;
+ if (!resp->do_not_send_to_client) {
+ memcpy(&body[p], &resp->type, sizeof(int32_t));
+ p += sizeof(int32_t);
+ memcpy(&body[p], &resp->len, sizeof(int32_t));
+ p += sizeof(int32_t);
+ memcpy(&body[p], resp->data, resp->len);
+ p += resp->len;
+ }
resp = resp->next;
}
--
1.7.3.1
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
