From a81b2ae67c7b011c74c0d37df5bdaef2ef2bbb4a Mon Sep 17 00:00:00 2001 From: Pavel Reichl Date: Thu, 19 Feb 2015 11:17:36 -0500 Subject: [PATCH 02/99] PAM: new option pam_account_expired_message This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose (cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8) --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 21 +++++++++++++++++++++ src/responder/pam/pamsrv_cmd.c | 14 ++++++++++---- src/sss_client/pam_sss.c | 2 +- 6 files changed, 35 insertions(+), 5 deletions(-) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index b5c4999a3179a6f1303d31f24f2ca5680cf69ac6..19c56402069f9a7001188e91f77db8ad8525d690 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -114,6 +114,7 @@ #define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning" #define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users" #define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains" +#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index aad0b2ce422b009f1bc95f3377bad34af4495776..dbbffebf38977e526cf2944510a2f60da7edf33a 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -88,6 +88,7 @@ option_strings = { 'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'), 'pam_trusted_users' : _('List of trusted uids or user\'s name'), 'pam_public_domains' : _('List of domains accessible even for untrusted users.'), + 'pam_account_expired_message' : _('Message printed when user account is expired.'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 3503635e07bbd0511349a9b5b9d05c30c6825bf3..4fa542704fbd3af065843e777b84b6305ec3e78b 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -58,6 +58,7 @@ pam_pwd_expiration_warning = int, None, false get_domains_timeout = int, None, false pam_trusted_users = str, None, false pam_public_domains = str, None, false +pam_account_expired_message = str, None, false [sudo] # sudo service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 90545245eb68e4b45b4b49b5935e47867bffb794..bb4c1d3c65818d8d949482569868e14cf60c5db5 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -933,6 +933,27 @@ fallback_homedir = /home/%u + + pam_account_expired_message (string) + + + If user is authenticating using SSH keys and + account is expired then by default + 'Permission denied' is output. This output will + be changed to content of this variable if it is + set. + + + example: + +pam_account_expired_message = Account expired, please call help desk. + + + + Default: none + + + diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index c874cae61960ffa17dbe8aab7b96b792d65ac618..a9c1b49d7ccf361404b02fb4c4a8ae260f9498cc 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -74,13 +74,14 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx, return EOK; } -static void inform_account_expired(struct pam_data* pd) +static void inform_account_expired(struct pam_data* pd, + const char *pam_message) { size_t msg_len; uint8_t *msg; errno_t ret; - ret = pack_user_info_account_expired(pd, "", &msg_len, &msg); + ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "pack_user_info_account_expired failed.\n"); @@ -544,6 +545,7 @@ static void pam_reply(struct pam_auth_req *preq) uint32_t user_info_type; time_t exp_date = -1; time_t delay_until = -1; + char* pam_account_expired_message; pd = preq->pd; cctx = preq->cctx; @@ -620,7 +622,7 @@ static void pam_reply(struct pam_auth_req *preq) ret = gettimeofday(&tv, NULL); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "gettimeofday failed [%d][%s].\n", - errno, strerror(errno)); + errno, strerror(errno)); goto done; } tv.tv_sec += pd->response_delay; @@ -659,7 +661,11 @@ static void pam_reply(struct pam_auth_req *preq) if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) { - inform_account_expired(pd); + ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "", + &pam_account_expired_message); + + inform_account_expired(pd, pam_account_expired_message); } ret = filter_responses(pctx->rctx->cdb, pd->resp_list); diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 59529796c682416d49c7f92f5feea3b0ace8d2d4..28a36d5af95297b394a74f39d6614f48831bb901 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -60,7 +60,7 @@ #define OPT_RETRY_KEY "retry=" #define OPT_DOMAINS_KEY "domains=" -#define EXP_ACC_MSG _("Your account has expired. ") +#define EXP_ACC_MSG _("Permission denied. ") #define SRV_MSG _("Server message: ") struct pam_items { -- 2.4.0