mod_auth_pam logging annoyance (w/ patch)
Matthew Whitworth
matthew at okcomputer.org
Sat May 22 04:19:51 UTC 2004
I've been running mod_auth_pam 1.1.1 (for apache 1.3.x) and have noticed
that authentication errors get logged with odd error messages, like so:
[Mon May 17 11:28:00 2004] [error] [client 192.168.42.250]
(25)Inappropriate ioctl for device: PAM: user 'matthew' - not
authenticated: Authentication failure
The "(25)Inappropriate ioctl for device" is the result of using
ap_log_reason(), which includes the output of strerror(errno). This is
fine for logging I/O errors, but it produces meaningless results when
attempting to log PAM authentication errors.
Someone seems to have tried to correct this in CVS, and replaced all the
calls to ap_log_reason() with calls to ap_log_rerror(). However, the
APLOG_NOERRNO bit is still not being set and the inappropriate system
call errors are still being included.
Below is a patch against CVS that modifies the calls to ap_log_rerror()
to set the APLOG_NOERRNO where appropriate. I didn't modify the call
right after pam_start(), where errno might be relevant.
Hope this is useful,
Matthew
--
--- mod_auth_pam.c 14 Sep 2002 13:29:40 -0000 1.4
+++ mod_auth_pam.c 22 May 2004 03:31:36 -0000
@@ -343,7 +343,7 @@
/* this is only set after get_basic_auth_pw was called */
userinfo.name = r->connection->user;
if(userinfo.name == NULL || strlen(userinfo.name) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"PAM: no username, refusing request");
return AUTH_REQUIRED;
}
@@ -379,14 +379,14 @@
PAM_SUCCESS ) {
if(res == PAM_USER_UNKNOWN) {
if(conf->fall_through) {
- ap_log_rerror(APLOG_MARK, APLOG_NOTICE, r,
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_NOTICE, r,
"PAM: user '%s' unknown (%s), falling through",
r->connection->user, compat_pam_strerror(pamh,
res));
pam_end(pamh, PAM_SUCCESS);
/* pass on to other modules */
return DECLINED;
} else {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"PAM: user '%s' unknown (%s), no fall through",
r->connection->user, compat_pam_strerror(pamh,
res));
/* refuse client */
@@ -395,7 +395,7 @@
return HTTP_UNAUTHORIZED;
}
} else {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"PAM: user '%s' - not authenticated: %s",
r->connection->user, compat_pam_strerror(pamh, res));
pam_end(pamh, PAM_SUCCESS);
@@ -406,7 +406,7 @@
/* check that the account is healthy */
if((res = pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK)) !=
PAM_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"PAM: user '%s' - invalid account: %s",
r->connection->user, compat_pam_strerror(pamh, res));
pam_end(pamh, PAM_SUCCESS);
More information about the Pam-list
mailing list