dovecot: Added failure_show_msg=yes parameter to PAM. If set, th...
dovecot at dovecot.org
dovecot at dovecot.org
Tue Aug 7 13:19:13 EEST 2007
details: http://hg.dovecot.org/dovecot/rev/a9c934833374
changeset: 6215:a9c934833374
user: Timo Sirainen <tss at iki.fi>
date: Tue Aug 07 13:19:08 2007 +0300
description:
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
password query is shown to user if authentication fails. This is useful with
pam_otp.
diffstat:
2 files changed, 20 insertions(+), 8 deletions(-)
dovecot-example.conf | 2 +-
src/auth/passdb-pam.c | 26 +++++++++++++++++++-------
diffs (102 lines):
diff -r 974066ba68a3 -r a9c934833374 dovecot-example.conf
--- a/dovecot-example.conf Tue Aug 07 13:17:50 2007 +0300
+++ b/dovecot-example.conf Tue Aug 07 13:19:08 2007 +0300
@@ -799,7 +799,7 @@ auth default {
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
passdb pam {
- # [blocking=yes] [session=yes] [setcred=yes]
+ # [blocking=yes] [session=yes] [setcred=yes] [failure_show_msg=yes]
# [cache_key=<key>] [<service name>]
#
# By default a new process is forked from dovecot-auth for each PAM lookup.
diff -r 974066ba68a3 -r a9c934833374 src/auth/passdb-pam.c
--- a/src/auth/passdb-pam.c Tue Aug 07 13:17:50 2007 +0300
+++ b/src/auth/passdb-pam.c Tue Aug 07 13:19:08 2007 +0300
@@ -48,8 +48,11 @@ struct pam_passdb_module {
struct pam_passdb_module {
struct passdb_module module;
- bool pam_setcred, pam_session;
const char *service_name, *pam_cache_key;
+
+ unsigned int pam_setcred:1;
+ unsigned int pam_session:1;
+ unsigned int failure_show_msg:1;
};
struct pam_auth_request {
@@ -67,6 +70,7 @@ struct pam_conv_context {
struct pam_conv_context {
struct auth_request *request;
const char *pass;
+ const char *failure_msg;
};
static struct hash_table *pam_requests;
@@ -78,6 +82,8 @@ pam_userpass_conv(int num_msg, linux_con
{
/* @UNSAFE */
struct pam_conv_context *ctx = appdata_ptr;
+ struct passdb_module *_passdb = ctx->request->passdb->passdb;
+ struct pam_passdb_module *passdb = (struct pam_passdb_module *)_passdb;
struct pam_response *resp;
char *string;
int i;
@@ -102,6 +108,8 @@ pam_userpass_conv(int num_msg, linux_con
break;
case PAM_PROMPT_ECHO_OFF:
/* Assume we're asking for password */
+ if (passdb->failure_show_msg)
+ ctx->failure_msg = t_strdup(msg[i]->msg);
string = strdup(ctx->pass);
if (string == NULL)
i_fatal_status(FATAL_OUTOFMEM, "Out of memory");
@@ -208,6 +216,7 @@ pam_verify_plain_child(struct auth_reque
conv.conv = pam_userpass_conv;
conv.appdata_ptr = &ctx;
+ memset(&ctx, 0, sizeof(ctx));
ctx.request = request;
ctx.pass = password;
@@ -249,6 +258,10 @@ pam_verify_plain_child(struct auth_reque
str = t_strdup_printf("pam_end() failed: %s",
pam_strerror(pamh, status2));
}
+ if (result != PASSDB_RESULT_OK && ctx.failure_msg != NULL) {
+ auth_request_set_field(request, "reason",
+ ctx.failure_msg, NULL);
+ }
}
if (worker) {
@@ -447,7 +460,7 @@ pam_preinit(struct auth_passdb *auth_pas
module->service_name = "dovecot";
t_push();
- t_args = t_strsplit(args, " ");
+ t_args = t_strsplit_spaces(args, " ");
for(i = 0; t_args[i] != NULL; i++) {
/* -session for backwards compatibility */
if (strcmp(t_args[i], "-session") == 0 ||
@@ -461,15 +474,14 @@ pam_preinit(struct auth_passdb *auth_pas
t_args[i] + 10);
} else if (strcmp(t_args[i], "blocking=yes") == 0) {
module->module.blocking = TRUE;
+ } else if (strcmp(t_args[i], "failure_show_msg=yes") == 0) {
+ module->failure_show_msg = TRUE;
} else if (strcmp(t_args[i], "*") == 0) {
/* for backwards compatibility */
module->service_name = "%Ls";
} else if (t_args[i+1] == NULL) {
- if (*t_args[i] != '\0') {
- module->service_name =
- p_strdup(auth_passdb->auth->pool,
- t_args[i]);
- }
+ module->service_name =
+ p_strdup(auth_passdb->auth->pool, t_args[i]);
} else {
i_fatal("Unexpected PAM parameter: %s", t_args[i]);
}
More information about the dovecot-cvs
mailing list