Introduce pam_verbosity config option

Currently we display all PAM messages generated by sssd to the user. But only some of them are important and others are just some useful information. This patch introduces a new option to the PAM responder which controls what kind of messages are displayed. As an example the 'Authenticated with cached credentials' message is used. This message is only displayed if pam_verbosity=1 or if there is an expire date.
SSSD · Nov 15, 2010 · 9468a58 · 9468a58
1 parent 4b49811
commit 9468a58
Show file tree

Hide file tree

Showing 7 changed files with 126 additions and 11 deletions.
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
@@ -80,6 +80,7 @@
 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0
 #define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay"
 #define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5
+#define CONFDB_PAM_VERBOSITY "pam_verbosity"
 
 /* Data Provider */
 #define CONFDB_DP_CONF_ENTRY "config/dp"

diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
@@ -63,6 +63,7 @@ class ProviderSubtypeInUse(SSSDConfigException): pass
     'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
     'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
     'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
+    'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
 
     # [provider]
     'id_provider' : _('Identity provider'),

diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
@@ -33,6 +33,7 @@ pwfield = str, None, false
 offline_credentials_expiration = int, None, false
 offline_failed_login_attempts = int, None, false
 offline_failed_login_delay = int, None, false
+pam_verbosity = int, None, false
 
 [provider]
 #Available provider types

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
@@ -409,6 +409,37 @@
                         </para>
                     </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                    <term>pam_verbosity (integer)</term>
+                    <listitem>
+                        <para>
+                            Controls what kind of messages are shown to the user
+                            during authentication. The higher the number to more
+                            messages are displayed.
+                        </para>
+                        <para>
+                             Currently sssd supports the following values:
+                        </para>
+                        <para>
+                             <emphasis>0</emphasis>: do not show any message
+                        </para>
+                        <para>
+                             <emphasis>1</emphasis>: show only important
+                             messages
+                        </para>
+                        <para>
+                             <emphasis>2</emphasis>: show informational messages
+                        </para>
+                        <para>
+                             <emphasis>3</emphasis>: show all messages and debug
+                             information
+                        </para>
+                        <para>
+                            Default: 1
+                        </para>
+                    </listitem>
+                </varlistentry>
             </variablelist>
         </refsect2>
     </refsect1>

diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
@@ -159,6 +159,7 @@ struct response_data {
     int32_t type;
     int32_t len;
     uint8_t *data;
+    bool do_not_send_to_client;
     struct response_data *next;
 };
 

diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c
@@ -163,6 +163,7 @@ int pam_add_response(struct pam_data *pd, enum response_type type,
     new->len = len;
     new->data = talloc_memdup(pd, data, len);
     if (new->data == NULL) return ENOMEM;
+    new->do_not_send_to_client = false;
     new->next = pd->resp_list;
     pd->resp_list = new;
 

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
@@ -31,6 +31,15 @@
 #include "responder/pam/pamsrv.h"
 #include "db/sysdb.h"
 
+enum pam_verbosity {
+    PAM_VERBOSITY_NO_MESSAGES = 0,
+    PAM_VERBOSITY_IMPORTANT,
+    PAM_VERBOSITY_INFO,
+    PAM_VERBOSITY_DEBUG
+};
+
+#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT
+
 static void pam_reply(struct pam_auth_req *preq);
 
 static int extract_authtok(uint32_t *type, uint32_t *size, uint8_t **tok, uint8_t *body, size_t blen, size_t *c) {
@@ -319,6 +328,59 @@ static errno_t set_last_login(struct pam_auth_req *preq)
     return ret;
 }
 
+static errno_t filter_responses(struct response_data *resp_list,
+                                int pam_verbosity)
+{
+    struct response_data *resp;
+    uint32_t user_info_type;
+    int64_t expire_date;
+
+    resp = resp_list;
+
+    while(resp != NULL) {
+        if (resp->type == SSS_PAM_USER_INFO) {
+            if (resp->len < sizeof(uint32_t)) {
+                DEBUG(1, ("User info entry is too short.\n"));
+                return EINVAL;
+            }
+
+            if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) {
+                resp->do_not_send_to_client = true;
+                resp = resp->next;
+                continue;
+            }
+
+            memcpy(&user_info_type, resp->data, sizeof(uint32_t));
+
+            resp->do_not_send_to_client = false;
+            switch (user_info_type) {
+                case SSS_PAM_USER_INFO_OFFLINE_AUTH:
+                    if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) {
+                        DEBUG(1, ("User info offline auth entry is "
+                                  "too short.\n"));
+                        return EINVAL;
+                    }
+                    memcpy(&expire_date, resp->data + sizeof(uint32_t),
+                           sizeof(int64_t));
+                    if ((expire_date == 0 &&
+                         pam_verbosity < PAM_VERBOSITY_INFO) ||
+                        (expire_date > 0 &&
+                         pam_verbosity < PAM_VERBOSITY_IMPORTANT)) {
+                        resp->do_not_send_to_client = true;
+                    }
+
+                    break;
+                default:
+                    DEBUG(7, ("User info type [%d] not filtered.\n"));
+            }
+        }
+
+        resp = resp->next;
+    }
+
+    return EOK;
+}
+
 static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
                             struct timeval tv, void *pvt)
 {
@@ -352,9 +414,12 @@ static void pam_reply(struct pam_auth_req *preq)
     uint32_t user_info_type;
     time_t exp_date = -1;
     time_t delay_until = -1;
+    int pam_verbosity = 0;
 
     pd = preq->pd;
     cctx = preq->cctx;
+    pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx);
+
 
     DEBUG(4, ("pam_reply get called.\n"));
 
@@ -376,9 +441,6 @@ static void pam_reply(struct pam_auth_req *preq)
                         goto done;
                     }
 
-                    pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx,
-                                           struct pam_ctx);
-
                     ret = sysdb_cache_auth(preq, sysdb,
                                            preq->domain, pd->user,
                                            pd->authtok, pd->authtok_size,
@@ -453,6 +515,19 @@ static void pam_reply(struct pam_auth_req *preq)
         goto done;
     }
 
+    ret = confdb_get_int(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+                         CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY,
+                         &pam_verbosity);
+    if (ret != EOK) {
+        DEBUG(1, ("Failed to read PAM verbosity, not fatal.\n"));
+        pam_verbosity = 0;
+    }
+
+    ret = filter_responses(pd->resp_list, pam_verbosity);
+    if (ret != EOK) {
+        DEBUG(1, ("filter_responses failed, not fatal.\n"));
+    }
+
     if (pd->domain != NULL) {
         pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1,
                          (uint8_t *) pd->domain);
@@ -462,8 +537,10 @@ static void pam_reply(struct pam_auth_req *preq)
     resp_size = 0;
     resp = pd->resp_list;
     while(resp != NULL) {
-        resp_c++;
-        resp_size += resp->len;
+        if (!resp->do_not_send_to_client) {
+            resp_c++;
+            resp_size += resp->len;
+        }
         resp = resp->next;
     }
 
@@ -487,12 +564,14 @@ static void pam_reply(struct pam_auth_req *preq)
 
     resp = pd->resp_list;
     while(resp != NULL) {
-        memcpy(&body[p], &resp->type, sizeof(int32_t));
-        p += sizeof(int32_t);
-        memcpy(&body[p], &resp->len, sizeof(int32_t));
-        p += sizeof(int32_t);
-        memcpy(&body[p], resp->data, resp->len);
-        p += resp->len;
+        if (!resp->do_not_send_to_client) {
+            memcpy(&body[p], &resp->type, sizeof(int32_t));
+            p += sizeof(int32_t);
+            memcpy(&body[p], &resp->len, sizeof(int32_t));
+            p += sizeof(int32_t);
+            memcpy(&body[p], resp->data, resp->len);
+            p += resp->len;
+        }
 
         resp = resp->next;
     }