Blame SOURCES/pam-1.3.1-unix-improve-logging.patch

43d219
From a6845905869ccabb5eb802be37241eabec085dc7 Mon Sep 17 00:00:00 2001
43d219
From: Tomas Mraz <tmraz@fedoraproject.org>
43d219
Date: Mon, 14 Oct 2019 16:52:46 +0200
43d219
Subject: [PATCH] pam_unix: Add logging useful for debugging problems
43d219
43d219
Two messages added about obtaining the username are guarded
43d219
by the debug option as these should not be normally
43d219
logged - they can be useful for debugging but they do not
43d219
indicate any special condition.
43d219
43d219
The message about authenticating user with blank password is
43d219
still just LOG_DEBUG priority but it is logged unconditionally
43d219
because it is somewhat extraordinary condition to have an user
43d219
with blank password.
43d219
43d219
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
43d219
  D() macro calls which are not enabled on production builds with
43d219
  regular pam_syslog() calls.
43d219
---
43d219
 modules/pam_unix/pam_unix_auth.c | 7 ++++---
43d219
 1 file changed, 4 insertions(+), 3 deletions(-)
43d219
43d219
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
43d219
index 681e49d..3fca945 100644
43d219
--- a/modules/pam_unix/pam_unix_auth.c
43d219
+++ b/modules/pam_unix/pam_unix_auth.c
43d219
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
43d219
 			AUTH_RETURN;
43d219
 		}
43d219
 		if (on(UNIX_DEBUG, ctrl))
43d219
-			D(("username [%s] obtained", name));
43d219
+			pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
43d219
 	} else {
43d219
-		D(("trouble reading username"));
43d219
 		if (retval == PAM_CONV_AGAIN) {
43d219
 			D(("pam_get_user/conv() function is not ready yet"));
43d219
 			/* it is safe to resume this function so we translate this
43d219
 			 * retval to the value that indicates we're happy to resume.
43d219
 			 */
43d219
 			retval = PAM_INCOMPLETE;
43d219
+		} else if (on(UNIX_DEBUG, ctrl)) {
43d219
+			pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
43d219
 		}
43d219
 		AUTH_RETURN;
43d219
 	}
43d219
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
43d219
 	/* if this user does not have a password... */
43d219
 
43d219
 	if (_unix_blankpasswd(pamh, ctrl, name)) {
43d219
-		D(("user '%s' has blank passwd", name));
43d219
+		pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
43d219
 		name = NULL;
43d219
 		retval = PAM_SUCCESS;
43d219
 		AUTH_RETURN;
43d219
-- 
43d219
2.20.1
43d219