hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Print error descriptions when a PAM function fails

Browse Source
This commit is contained in:
Esa Korhonen
2018-05-08 15:01:25 +03:00
parent c6b8277281
commit 4b988d99a1
1 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
server/modules/authenticator/PAM/PAMAuth/pam_client_session.cc
View File

@ -148,6 +148,9 @@ int conversation_func(int num_msg, const struct pam_message **msg,
*/ */
bool validate_pam_password(const string& user, const string& password, const string& service, DCB* client) bool validate_pam_password(const string& user, const string& password, const string& service, DCB* client)
{ {
const char PAM_START_ERR_MSG[] = "Failed to start PAM authentication for user '%s': '%s'.";
const char PAM_AUTH_ERR_MSG[] = "Pam authentication for user '%s' failed: '%s'.";
const char PAM_ACC_ERR_MSG[] = "Pam account check for user '%s' failed: '%s'.";
ConversationData appdata(client, 0, password); ConversationData appdata(client, 0, password);
pam_conv conv_struct = {conversation_func, &appdata}; pam_conv conv_struct = {conversation_func, &appdata};
bool authenticated = false; bool authenticated = false;
@ -163,23 +166,35 @@ bool validate_pam_password(const string& user, const string& password, const str
authenticated = true; authenticated = true;
MXS_DEBUG("pam_authenticate returned success."); MXS_DEBUG("pam_authenticate returned success.");
break; break;
case PAM_USER_UNKNOWN:
case PAM_AUTH_ERR: case PAM_AUTH_ERR:
MXS_DEBUG("pam_authenticate returned authentication failure (wrong password)."); // Normal failure, username or password was wrong.
// Normal failure MXS_WARNING(PAM_AUTH_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status));
break; break;
default: default:
MXS_ERROR("pam_authenticate returned error '%d'.", pam_status); // More exotic error, log as error.
MXS_ERROR(PAM_AUTH_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status));
break; break;
} }
} }
else else
{ {
MXS_ERROR("Failed to start PAM authentication for user '%s'.", user.c_str()); MXS_ERROR(PAM_START_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status));
} }
if (authenticated) if (authenticated)
{ {
pam_status = pam_acct_mgmt(pam_handle, 0); pam_status = pam_acct_mgmt(pam_handle, 0);
account_ok = (pam_status == PAM_SUCCESS); switch (pam_status)
{
case PAM_SUCCESS:
account_ok = true;
break;
default:
// Credentials have already been checked to be ok, so this is again a bit of an exotic error.
MXS_ERROR(PAM_ACC_ERR_MSG, user.c_str(), pam_strerror(pam_handle, pam_status));
break;
}
} }
pam_end(pam_handle, pam_status); pam_end(pam_handle, pam_status);
return account_ok; return account_ok;