On 02/20/2015 11:48 AM, Sumit Bose wrote:
On Thu, Feb 19, 2015 at 06:03:03PM +0100, Pavel Reichl wrote:
On 02/19/2015 10:54 AM, Sumit Bose wrote:
On Thu, Feb 12, 2015 at 03:52:55PM +0100, Pavel Reichl wrote:
On 02/11/2015 05:50 PM, Sumit Bose wrote:
On Wed, Feb 11, 2015 at 04:56:48PM +0100, Pavel Reichl wrote:
Hello,
please see attached patch. I'm not sure whether using pam_strerror() is the
right thing to do. It might be better to use our own string?
I'm also not sure about using _(STRING) macro on the output of
pam_strerror().
The _() macro will not work here. You can use it only to enclose literal
strings. The strings will then be extracted into the *.pot file and
translators can pick them for translation. In the pam_strerror() case
libpam has to take care of the translations.
I attached output of sequence of commands to show differences.
1) This is output without patch being applied.
$ su john
Password:
su: User account has expired
ssh -l john `hostname`
Connection closed by 192.168.122.166
#not matching key
$ ssh -l john `hostname` -i /tmp/local
j...@dev.local.test's password:
Connection closed by 192.168.122.166
2) This is output when patch is applied. Please note the duplicity when
using su.
The service name is available, so you can add this only if ssh is used.
$ su john
Password:
User account has expired
su: User account has expired
$ ssh -l john `hostname`
User account has expired
Connection closed by 192.168.122.166
#not matching key
$ ssh -l john `hostname` -i /tmp/local
j...@dev.local.test's password:
User account has expired
Connection closed by 192.168.122.166
Thanks for comments.
From 953f1721996e6c2bf8ee53ea232de2240f168d94 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Wed, 11 Feb 2015 19:38:16 -0500
Subject: [PATCH] PAM: do not reject abruptly
If account has expired use pam_conversation to pass message.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
---
src/sss_client/pam_sss.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index
fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc..767b2a839e9f001be52c5ff4c7651b0f06ba4221
100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1585,6 +1585,13 @@ static int pam_sss(enum sss_cli_command task,
pam_handle_t *pamh,
D(("do_pam_conversation failed."));
}
pam_status = PAM_NEW_AUTHTOK_REQD;
+ } else if (pam_status == PAM_ACCT_EXPIRED) {
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
+ _(pam_strerror(pamh, pam_status)),
+ NULL, NULL);
+ if (ret != PAM_SUCCESS) {
+ D(("do_pam_conversation failed."));
+ }
I would recommend to not do this in pam_sss directly but send a
SSS_PAM_USER_INFO response back to pam_sss. This response can e.g. be
generated in the pam responder if pam_status == PAM_ACCT_EXPIRED and the
service is sshd. Doing it in the pam responder has the advantage that
you do not have to duplicate code in the backends. Additionally it is
more easy configure the behavior. E.g. you can check pam_verbosity and
only add this message is the level is 2 (1?) or higher.
bye,
Sumit
}
break;
case SSS_PAM_CHAUTHTOK:
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Thanks for comments. Please see updated patch.
Thank you, that patch looks good and is working as expected.
As a side note, when using IPA or AD with passwords already the
authentication fails for expired account and it looks like ssh does not
show PAM messages during the authentication phase, you will only see:
# ssh -l exp_user@ad.devel localhost
exp_user@ad.devel@localhost's password:
Permission denied, please try again.
exp_user@ad.devel@localhost's password:
Permission denied, please try again.
exp_user@ad.devel@localhost's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
But I think it is ok, since ssh says 'Permission denied' and the PAM
message can still be found in the secure log or journal.
I was thinking about the "Your account has expired. " message which
might give an attacker the information that it is not worth to continue
with this account. My first idea was to only show the message is
pam_verbosity is 2 or higher. But this won't cover the ssh case in the
default installation.
My suggestion would be to make the message mandatory in
SSS_PAM_USER_INFO_ACCOUNT_EXPIRED and by default added 'Permission
denied' as a message in the PAM responder. For more flexibility we might
want to add a pam_account_expired_message option which defaults to
'Permission denied' but can be set by the admin to something like
'Account expired, please call help desk'.
Additionally you might want to consider to add this message for all
services if pam_verbosity is 2 or higher. This would make is easier to
cover other services which do not add useful error messages on their own
like ssh. And since it is not the default having multiple messages for
services like su might be acceptable.
bye,
Sumit
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Thanks, for feedback. Updated patch set is attached.
I didn't do any changes in the first patch.
Thank you, patches are looking good and pass CI
http://sssd-ci.duckdns.org/logs/job/7/77/summary.html .
Nevertheless I've found two small issue:
...
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index
fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc..9b8fe0dcb09ca30b5bc1ff4c9b68b329e1839852
100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -60,6 +60,9 @@
#define OPT_RETRY_KEY "retry="
#define OPT_DOMAINS_KEY "domains="
+#define EXP_ACC_MSG "Your account has expired. "
+#define SRV_MSG "Server message: "
+
struct pam_items {
const char* pam_service;
const char* pam_user;
@@ -797,6 +800,63 @@ static int user_info_otp_chpass(pam_handle_t *pamh)
return PAM_SUCCESS;
}
...
+
+ bufsize = strlen(_(EXP_ACC_MSG)) + 1;
+
+ if (msg_len > 0) {
+ bufsize += strlen(_(SRV_MSG)) + msg_len;
+ }
+
+ user_msg = (char *)malloc(sizeof(char) * bufsize);
+ if (!user_msg) {
+ D(("Out of memory."));
+ return PAM_SYSTEM_ERR;
+ }
+
+ ret = snprintf(user_msg, bufsize, "%s%s%.*s",
+ _(EXP_ACC_MSG),
+ msg_len > 0 ? _(SRV_MSG) : "",
+ msg_len,
+ msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
+ if (ret < 0 || ret > bufsize) {
+ D(("snprintf failed."));
+
+ free(user_msg);
+ return PAM_SYSTEM_ERR;
+ }
+
The messages are not properly added to the pot file, I think you have to
add the _() already in the #define lines.
...
Fixed.
@@ -570,7 +572,6 @@ static void pam_reply(struct pam_auth_req *preq)
" [%s]!\n", preq->domain->name);
goto done;
}
-
ret = sss_authtok_get_password(pd->authtok, &password, NULL);
if (ret) {
DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n");
why do you not like this extra line ?
It's not personal. It's just a typo. :-)
Fixed.
bye,
Sumit
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
Thanks!
>From 70de230740844ead0a68f31dbff095bbcfe75aa2 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Wed, 11 Feb 2015 19:38:16 -0500
Subject: [PATCH 1/3] PAM: do not reject abruptly
If account has expired then pass message.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
---
src/responder/pam/pamsrv_cmd.c | 53 ++++++++++++++++++++++++++++++++++
src/sss_client/pam_sss.c | 64 +++++++++++++++++++++++++++++++++++++++++-
src/sss_client/sss_cli.h | 18 +++++++++---
3 files changed, 130 insertions(+), 5 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 90cdbec519587a0d5dd680bfe3a991d896d6c008..c874cae61960ffa17dbe8aab7b96b792d65ac618 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -44,6 +44,54 @@ enum pam_verbosity {
static void pam_reply(struct pam_auth_req *preq);
+static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
+ const char *user_error_message,
+ size_t *resp_len,
+ uint8_t **_resp)
+{
+ uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED;
+ size_t err_len;
+ uint8_t *resp;
+ size_t p;
+
+ err_len = strlen(user_error_message);
+ *resp_len = 2 * sizeof(uint32_t) + err_len;
+ resp = talloc_size(mem_ctx, *resp_len);
+ if (resp == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
+ return ENOMEM;
+ }
+
+ p = 0;
+ SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p);
+ SAFEALIGN_SET_UINT32(&resp[p], err_len, &p);
+ safealign_memcpy(&resp[p], user_error_message, err_len, &p);
+ if (p != *resp_len) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n");
+ }
+
+ *_resp = resp;
+ return EOK;
+}
+
+static void inform_account_expired(struct pam_data* pd)
+{
+ size_t msg_len;
+ uint8_t *msg;
+ errno_t ret;
+
+ ret = pack_user_info_account_expired(pd, "", &msg_len, &msg);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "pack_user_info_account_expired failed.\n");
+ } else {
+ ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n");
+ }
+ }
+}
+
static bool is_domain_requested(struct pam_data *pd, const char *domain_name)
{
int i;
@@ -609,6 +657,11 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
+ if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL &&
+ strcasecmp(pd->service, "sshd") == 0) {
+ inform_account_expired(pd);
+ }
+
ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "filter_responses failed, not fatal.\n");
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index fdf6c9e6da75c9f7eaa7c00d9a5792fbdd97eabc..59529796c682416d49c7f92f5feea3b0ace8d2d4 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -60,6 +60,9 @@
#define OPT_RETRY_KEY "retry="
#define OPT_DOMAINS_KEY "domains="
+#define EXP_ACC_MSG _("Your account has expired. ")
+#define SRV_MSG _("Server message: ")
+
struct pam_items {
const char* pam_service;
const char* pam_user;
@@ -797,6 +800,63 @@ static int user_info_otp_chpass(pam_handle_t *pamh)
return PAM_SUCCESS;
}
+static int user_info_account_expired(pam_handle_t *pamh, size_t buflen,
+ uint8_t *buf)
+{
+ int ret;
+ uint32_t msg_len;
+ char *user_msg;
+ size_t bufsize = 0;
+
+ /* resp_type and length of message are expected to be in buf */
+ if (buflen < 2* sizeof(uint32_t)) {
+ D(("User info response data is too short"));
+ return PAM_BUF_ERR;
+ }
+
+ /* msg_len = legth of message */
+ memcpy(&msg_len, buf + sizeof(uint32_t), sizeof(uint32_t));
+
+ if (buflen != 2* sizeof(uint32_t) + msg_len) {
+ D(("User info response data has the wrong size"));
+ return PAM_BUF_ERR;
+ }
+
+ bufsize = strlen(EXP_ACC_MSG) + 1;
+
+ if (msg_len > 0) {
+ bufsize += strlen(SRV_MSG) + msg_len;
+ }
+
+ user_msg = (char *)malloc(sizeof(char) * bufsize);
+ if (!user_msg) {
+ D(("Out of memory."));
+ return PAM_SYSTEM_ERR;
+ }
+
+ ret = snprintf(user_msg, bufsize, "%s%s%.*s",
+ EXP_ACC_MSG,
+ msg_len > 0 ? SRV_MSG : "",
+ msg_len,
+ msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
+ if (ret < 0 || ret > bufsize) {
+ D(("snprintf failed."));
+
+ free(user_msg);
+ return PAM_SYSTEM_ERR;
+ }
+
+ ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
+ free(user_msg);
+ if (ret != PAM_SUCCESS) {
+ D(("do_pam_conversation failed."));
+
+ return PAM_SYSTEM_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
uint8_t *buf)
{
@@ -852,7 +912,6 @@ static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
return PAM_SUCCESS;
}
-
static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
uint8_t *buf)
{
@@ -888,6 +947,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
case SSS_PAM_USER_INFO_CHPASS_ERROR:
ret = user_info_chpass_error(pamh, buflen, buf);
break;
+ case SSS_PAM_USER_INFO_ACCOUNT_EXPIRED:
+ ret = user_info_account_expired(pamh, buflen, buf);
+ break;
default:
D(("Unknown user info type [%d]", type));
ret = PAM_SYSTEM_ERR;
diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 6286077fcf25aead1dfcba5c6483e4ff8ae63b9f..d508a0671cd1b3ee087e0967f7015628ceabe20f 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -461,15 +461,25 @@ enum user_info_type {
* indicates that no message is following.
* @param String with the specified
* length. */
+
SSS_PAM_USER_INFO_GRACE_LOGIN, /**< Warn the user that the password is
* expired and inform about the remaining
* number of grace logins.
* @param The number of remaining grace
* logins as uint32_t */
- SSS_PAM_USER_INFO_EXPIRE_WARN /**< Warn the user that the password will
- * expire soon.
- * @param Number of seconds before the user's
- * password will expire. */
+ SSS_PAM_USER_INFO_EXPIRE_WARN, /**< Warn the user that the password will
+ * expire soon.
+ * @param Number of seconds before the
+ * user's password will expire. */
+
+ SSS_PAM_USER_INFO_ACCOUNT_EXPIRED, /**< Tell the user that the account
+ * has expired and optionally give
+ * a reason.
+ * @param Size of the message as
+ * unsigned 32-bit integer value. A
+ * value of 0 indicates that no message
+ * is following. @param String with the
+ * specified length. */
};
/**
* @}
--
2.1.0
>From d2e1ceb7599d82df9cbc14a4d6ceb8a95a3ed922 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Thu, 19 Feb 2015 11:17:36 -0500
Subject: [PATCH 2/3] PAM: new option pam_account_expired_message
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 21 +++++++++++++++++++++
src/responder/pam/pamsrv_cmd.c | 14 ++++++++++----
src/sss_client/pam_sss.c | 2 +-
6 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index b5c4999a3179a6f1303d31f24f2ca5680cf69ac6..19c56402069f9a7001188e91f77db8ad8525d690 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -114,6 +114,7 @@
#define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning"
#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
+#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index aad0b2ce422b009f1bc95f3377bad34af4495776..dbbffebf38977e526cf2944510a2f60da7edf33a 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -88,6 +88,7 @@ option_strings = {
'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'),
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
+ 'pam_account_expired_message' : _('Message printed when user account is expired.'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 3503635e07bbd0511349a9b5b9d05c30c6825bf3..4fa542704fbd3af065843e777b84b6305ec3e78b 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -58,6 +58,7 @@ pam_pwd_expiration_warning = int, None, false
get_domains_timeout = int, None, false
pam_trusted_users = str, None, false
pam_public_domains = str, None, false
+pam_account_expired_message = str, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index cf0821dfa1cb54a67a7b880b3818f26375a0af7c..ca4e602d33ddca25f2b456f8465d8d02c2201ac4 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -933,6 +933,27 @@ fallback_homedir = /home/%u
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_account_expired_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating using SSH keys and
+ account is expired then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_expired_message = Account expired, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c874cae61960ffa17dbe8aab7b96b792d65ac618..a9c1b49d7ccf361404b02fb4c4a8ae260f9498cc 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -74,13 +74,14 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
return EOK;
}
-static void inform_account_expired(struct pam_data* pd)
+static void inform_account_expired(struct pam_data* pd,
+ const char *pam_message)
{
size_t msg_len;
uint8_t *msg;
errno_t ret;
- ret = pack_user_info_account_expired(pd, "", &msg_len, &msg);
+ ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"pack_user_info_account_expired failed.\n");
@@ -544,6 +545,7 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
+ char* pam_account_expired_message;
pd = preq->pd;
cctx = preq->cctx;
@@ -620,7 +622,7 @@ static void pam_reply(struct pam_auth_req *preq)
ret = gettimeofday(&tv, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "gettimeofday failed [%d][%s].\n",
- errno, strerror(errno));
+ errno, strerror(errno));
goto done;
}
tv.tv_sec += pd->response_delay;
@@ -659,7 +661,11 @@ static void pam_reply(struct pam_auth_req *preq)
if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL &&
strcasecmp(pd->service, "sshd") == 0) {
- inform_account_expired(pd);
+ ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
+ &pam_account_expired_message);
+
+ inform_account_expired(pd, pam_account_expired_message);
}
ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59529796c682416d49c7f92f5feea3b0ace8d2d4..28a36d5af95297b394a74f39d6614f48831bb901 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -60,7 +60,7 @@
#define OPT_RETRY_KEY "retry="
#define OPT_DOMAINS_KEY "domains="
-#define EXP_ACC_MSG _("Your account has expired. ")
+#define EXP_ACC_MSG _("Permission denied. ")
#define SRV_MSG _("Server message: ")
struct pam_items {
--
2.1.0
>From 59f6e49b9f07a92cbbd6347f8bfd960ff8ebf7d3 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <prei...@redhat.com>
Date: Thu, 19 Feb 2015 11:50:54 -0500
Subject: [PATCH 3/3] PAM: warn all services about account expiration
if pam_verbose is above one then output warning about account
expiration for all services.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
---
src/responder/pam/pamsrv_cmd.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a9c1b49d7ccf361404b02fb4c4a8ae260f9498cc..ab8369b0f9b1f3ed9256fc16396f095818d36bbf 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -546,11 +546,20 @@ static void pam_reply(struct pam_auth_req *preq)
time_t exp_date = -1;
time_t delay_until = -1;
char* pam_account_expired_message;
+ int pam_verbosity;
pd = preq->pd;
cctx = preq->cctx;
pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+ &pam_verbosity);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to read PAM verbosity, not fatal.\n");
+ pam_verbosity = DEFAULT_PAM_VERBOSITY;
+ }
DEBUG(SSSDBG_FUNC_DATA,
"pam_reply called with result [%d].\n", pd->pam_status);
@@ -659,8 +668,14 @@ static void pam_reply(struct pam_auth_req *preq)
goto done;
}
- if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL &&
- strcasecmp(pd->service, "sshd") == 0) {
+ /* Account expiration warning is printed for sshd. If pam_verbosity
+ * is equal or above PAM_VERBOSITY_INFO then all services are informed
+ * about account expiration.
+ */
+ if (pd->pam_status == PAM_ACCT_EXPIRED &&
+ ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) ||
+ pam_verbosity >= PAM_VERBOSITY_INFO)) {
+
ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
&pam_account_expired_message);
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
