[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_listfile.so and logging


	I was implementing some pam rules with .  I noticed that if
pam_listfile.so rejected the authentication the service was denied, but
no reason was given.  The service I was using was pop/imap.  pop/imap
only returns "-ERR Bad login".  So I modified pam_listfile.c a little to
log the rejection.  Is this good?  Is there a reason listfile does no
logging?  The patch and a sample log are below.

==> secure <==
May 12 16:22:43 fester ipop3d[1535]: connect from

==> messages <==
May 12 16:22:58 fester PAM-listfile[1535]: Refused user test2 for
service imap 
May 12 16:23:02 fester ipop3d[1535]: Login failure user=test2
May 12 16:23:02 fester ipop3d[1535]: Logout user test2 host wednesday
-------end logs----

diff -ruN Linux-PAM-0.64.orig/modules/pam_listfile/pam_listfile.c
--- Linux-PAM-0.64.orig/modules/pam_listfile/pam_listfile.c     Tue Jan
27 23:50
:33 1998
+++ Linux-PAM-0.64/modules/pam_listfile/pam_listfile.c  Tue May 12
15:42:11 1998
@@ -394,19 +394,28 @@
-    if(retval) {
+/* christopher mccrory <chrismcc@netus.com>
+/* updated this slightly and included a log entry.
+/* the test is slightly different. if retval and sense _both_ equal
+/* ( 0 or 1 ) then we should return PAM_SUCCESS.  if not, not. 
+    if(retval == sense) {
 #ifdef DEBUG
        syslog(LOG_INFO,"Returning %d, retval = %d",
               sense?PAM_AUTH_ERR:PAM_SUCCESS, retval);
-       return sense?PAM_SUCCESS:PAM_AUTH_ERR;
+       return PAM_SUCCESS;
     else {
+         const char *user_name, *service;
 #ifdef DEBUG
        syslog(LOG_INFO,"Returning %d, retval = %d",
               sense?PAM_SUCCESS:PAM_AUTH_ERR, retval);
-       return sense?PAM_AUTH_ERR:PAM_SUCCESS;
+         (void) pam_get_item(pamh, PAM_SERVICE, &service);
+         (void) pam_get_user(pamh,&user_name,NULL);
+         _pam_log(LOG_ALERT, "Refused user %s for service
+       return PAM_AUTH_ERR;


Christopher McCrory
Lead Bithead, Netus Inc.

"Linux: Because rebooting is for adding new hardware"

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []