diff --git a/ChangeLog b/ChangeLog index d3978bc..9473304 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2008-03-17 Sergey Poznyakoff + + * pam_fshadow/pam_fshadow.c, pam_sql/pam_mysql.c, + pam_sql/pam_sql.c, pam_regex/pam_regex.c: Ensure passwords might + get divulged only at debugging level 100. + 2008-03-16 Sergey Poznyakoff Add session management to pam_sql. diff --git a/pam_fshadow/pam_fshadow.c b/pam_fshadow/pam_fshadow.c index 3029319..b0d6659 100644 --- a/pam_fshadow/pam_fshadow.c +++ b/pam_fshadow/pam_fshadow.c @@ -135,7 +135,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt) struct pam_response *resp; int i, replies; - DEBUG(100,("enter _pam_get_password")); + DEBUG(90,("enter _pam_get_password")); if (cntl_flags & CNTL_AUTHTOK) { /* @@ -176,7 +176,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt) if (resp != NULL) { if (retval == PAM_SUCCESS) { /* a good conversation */ token = XSTRDUP(resp[i - replies].resp); - DEBUG(10,("app returned [%s]", token)); + DEBUG(100,("app returned [%s]", token)); PAM_DROP_REPLY(resp, 1); } else { _pam_log(LOG_ERR, "conversation error: %s", @@ -211,7 +211,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt) pam_strerror(pamh, retval)); } - DEBUG(100,("exit _pam_get_password: %d", retval)); + DEBUG(90,("exit _pam_get_password: %d", retval)); return retval; } @@ -274,9 +274,13 @@ verify_user_pass(const char *confdir, const char *username, FILE *fp; int retval = PAM_AUTH_ERR; char *shadow = mkfilename(confdir, "shadow"); - - DEBUG(10,("Verifying user `%s' with password `%s' in `%s'", - username, password, shadow)); + + if (debug_level == 100) + _pam_debug("Verifying user `%s' with password `%s' in `%s'", + username, password, shadow); + else if (debug_level >= 10) + _pam_debug("Verifying user `%s' in `%s'", + username, password, shadow); fp = fopen(shadow, "r"); if (!fp) { @@ -376,7 +380,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS || !username) { - _pam_log(LOG_DEBUG,"can not get the username"); + DEBUG(1,("can not get the username")); return PAM_SERVICE_ERR; } @@ -397,11 +401,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, pam_set_data(pamh, "CONFDIR", (void *)confdir, gray_cleanup_string); } else { - _pam_log(LOG_DEBUG, - "user name `%s' does not match regular " + DEBUG(1,("user name `%s' does not match regular " "expression `%s'", username, - regex_str); + regex_str)); } } diff --git a/pam_regex/pam_regex.c b/pam_regex/pam_regex.c index af6f8e3..65b9ea5 100644 --- a/pam_regex/pam_regex.c +++ b/pam_regex/pam_regex.c @@ -112,7 +112,7 @@ pam_sm_authenticate(pam_handle_t *pamh, _pam_parse(pamh, argc, argv); - DEBUG(100,("enter pam_sm_authenticate")); + DEBUG(90,("enter pam_sm_authenticate")); gray_pam_init(PAM_AUTHINFO_UNAVAIL); @@ -134,7 +134,7 @@ pam_sm_authenticate(pam_handle_t *pamh, gray_set_transform_expr(transform); slist = gray_slist_create(); gray_transform_name_to_slist(slist, name, &newname); - DEBUG(100,("new name: %s", newname)); + DEBUG(90,("new name: %s", newname)); MAKE_STR(pamh, newname, name); retval = pam_set_item(pamh, PAM_USER, name); if (retval != PAM_SUCCESS) { @@ -181,7 +181,7 @@ pam_sm_authenticate(pam_handle_t *pamh, } } - DEBUG(100,("exit pam_sm_authenticate: %d", retval)); + DEBUG(90,("exit pam_sm_authenticate: %d", retval)); return retval; } diff --git a/pam_sql/pam_mysql.c b/pam_sql/pam_mysql.c index e1f0756..e723f04 100644 --- a/pam_sql/pam_mysql.c +++ b/pam_sql/pam_mysql.c @@ -294,6 +294,7 @@ verify_user_pass(pam_handle_t *pamh, const char *password, const char *query) return PAM_SERVICE_ERR; } + DEBUG(10,("Executing %s", query)); if (mysql_query(&mysql, query)) { _pam_log(LOG_ERR, "MySQL: %s", mysql_error(&mysql)); mysql_close(&mysql); @@ -358,6 +359,7 @@ sql_acct(pam_handle_t *pamh, const char *query) return PAM_SERVICE_ERR; } + DEBUG(10,("Executing %s", query)); if (mysql_query(&mysql, query)) { _pam_log(LOG_ERR, "MySQL: %s", mysql_error(&mysql)); mysql_close(&mysql); @@ -372,7 +374,7 @@ sql_acct(pam_handle_t *pamh, const char *query) } else { size_t n = mysql_num_rows(result); mysql_free_result(result); - DEBUG(10, ("query affected %lu tuples", n)); + _pam_debug("query affected %lu tuples", n); } } mysql_close(&mysql); diff --git a/pam_sql/pam_sql.c b/pam_sql/pam_sql.c index 3038105..2c550ed 100644 --- a/pam_sql/pam_sql.c +++ b/pam_sql/pam_sql.c @@ -73,7 +73,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt) struct pam_response *resp; int i, replies; - DEBUG(100,("enter _pam_get_password")); + DEBUG(90,("enter _pam_get_password")); if (cntl_flags & CNTL_AUTHTOK) { /* @@ -114,7 +114,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt) if (resp != NULL) { if (retval == PAM_SUCCESS) { /* a good conversation */ token = XSTRDUP(resp[i - replies].resp); - DEBUG(10,("app returned [%s]", token)); + DEBUG(100,("app returned [%s]", token)); PAM_DROP_REPLY(resp, 1); } else { _pam_log(LOG_ERR, "conversation error: %s", @@ -149,7 +149,7 @@ _pam_get_password(pam_handle_t *pamh, char **password, const char *prompt) pam_strerror(pamh, retval)); } - DEBUG(100,("exit _pam_get_password: %d", retval)); + DEBUG(90,("exit _pam_get_password: %d", retval)); return retval; } @@ -384,7 +384,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS || !username) { - _pam_log(LOG_DEBUG, "can not get the username"); + DEBUG(1, ("can not get the username")); return PAM_SERVICE_ERR; }