sssd/0002-PAM-new-option-pam_account_expired_message.patch

158 lines
6.4 KiB
Diff

From a81b2ae67c7b011c74c0d37df5bdaef2ef2bbb4a Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Thu, 19 Feb 2015 11:17:36 -0500
Subject: [PATCH 02/99] PAM: new option pam_account_expired_message
This option sets string to be printed when authenticating using SSH
keys and account is expired.
Resolves:
https://fedorahosted.org/sssd/ticket/2050
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit e039f1aefecc65a7b3c2d4a13a612bff1dd367c8)
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 21 +++++++++++++++++++++
src/responder/pam/pamsrv_cmd.c | 14 ++++++++++----
src/sss_client/pam_sss.c | 2 +-
6 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index b5c4999a3179a6f1303d31f24f2ca5680cf69ac6..19c56402069f9a7001188e91f77db8ad8525d690 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -114,6 +114,7 @@
#define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning"
#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users"
#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains"
+#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message"
/* SUDO */
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index aad0b2ce422b009f1bc95f3377bad34af4495776..dbbffebf38977e526cf2944510a2f60da7edf33a 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -88,6 +88,7 @@ option_strings = {
'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'),
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
+ 'pam_account_expired_message' : _('Message printed when user account is expired.'),
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 3503635e07bbd0511349a9b5b9d05c30c6825bf3..4fa542704fbd3af065843e777b84b6305ec3e78b 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -58,6 +58,7 @@ pam_pwd_expiration_warning = int, None, false
get_domains_timeout = int, None, false
pam_trusted_users = str, None, false
pam_public_domains = str, None, false
+pam_account_expired_message = str, None, false
[sudo]
# sudo service
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index 90545245eb68e4b45b4b49b5935e47867bffb794..bb4c1d3c65818d8d949482569868e14cf60c5db5 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -933,6 +933,27 @@ fallback_homedir = /home/%u
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>pam_account_expired_message (string)</term>
+ <listitem>
+ <para>
+ If user is authenticating using SSH keys and
+ account is expired then by default
+ 'Permission denied' is output. This output will
+ be changed to content of this variable if it is
+ set.
+ </para>
+ <para>
+ example:
+ <programlisting>
+pam_account_expired_message = Account expired, please call help desk.
+ </programlisting>
+ </para>
+ <para>
+ Default: none
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index c874cae61960ffa17dbe8aab7b96b792d65ac618..a9c1b49d7ccf361404b02fb4c4a8ae260f9498cc 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -74,13 +74,14 @@ static errno_t pack_user_info_account_expired(TALLOC_CTX *mem_ctx,
return EOK;
}
-static void inform_account_expired(struct pam_data* pd)
+static void inform_account_expired(struct pam_data* pd,
+ const char *pam_message)
{
size_t msg_len;
uint8_t *msg;
errno_t ret;
- ret = pack_user_info_account_expired(pd, "", &msg_len, &msg);
+ ret = pack_user_info_account_expired(pd, pam_message, &msg_len, &msg);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"pack_user_info_account_expired failed.\n");
@@ -544,6 +545,7 @@ static void pam_reply(struct pam_auth_req *preq)
uint32_t user_info_type;
time_t exp_date = -1;
time_t delay_until = -1;
+ char* pam_account_expired_message;
pd = preq->pd;
cctx = preq->cctx;
@@ -620,7 +622,7 @@ static void pam_reply(struct pam_auth_req *preq)
ret = gettimeofday(&tv, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "gettimeofday failed [%d][%s].\n",
- errno, strerror(errno));
+ errno, strerror(errno));
goto done;
}
tv.tv_sec += pd->response_delay;
@@ -659,7 +661,11 @@ static void pam_reply(struct pam_auth_req *preq)
if (pd->pam_status == PAM_ACCT_EXPIRED && pd->service != NULL &&
strcasecmp(pd->service, "sshd") == 0) {
- inform_account_expired(pd);
+ ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY,
+ CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "",
+ &pam_account_expired_message);
+
+ inform_account_expired(pd, pam_account_expired_message);
}
ret = filter_responses(pctx->rctx->cdb, pd->resp_list);
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 59529796c682416d49c7f92f5feea3b0ace8d2d4..28a36d5af95297b394a74f39d6614f48831bb901 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -60,7 +60,7 @@
#define OPT_RETRY_KEY "retry="
#define OPT_DOMAINS_KEY "domains="
-#define EXP_ACC_MSG _("Your account has expired. ")
+#define EXP_ACC_MSG _("Permission denied. ")
#define SRV_MSG _("Server message: ")
struct pam_items {
--
2.4.0