Hello, I noticed that if pam_unix sees that a user does not exist on the system, it logs this information via syslog at priority level LOG_ALERT. I take issue with this, on two points: 1) The user may in fact exist, but only be accessible via other pam modules (ie, pam_ldap). Thus, it would seem to make more sense to either leave logging of this condition up to the client, or to have the pam module perform this logging only in the case where it is the last one in the stack (in which case it can be sure that the user *really* doesn't exist). I see that in the module writers guide: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-5.html#ss5.2 that "Authentication failures, associated with an incorrectly typed password should be logged at level, LOG_NOTICE", but I see nothing about the condition where the username is non-existant. 2) LOG_ALERT. According to syslog(2): #define KERN_ALERT "<1>" /* action must be taken immediately */ I would posit that a client attempting to authenticate with a non-existing username does not meet this criteria. In my opinion an argument can be made that this is not even an error condition, and thus should be at level LOG_WARNING or below. The above two points assume that my interpretation of the code is correct, given the case of a client attempting to authenticate a user, where the client's configuration is to use pam_unix followed by pam_ldap for auth. in unix_chkpwd.c line 129: pwd = getpwnam(name); /* Get password file entry... */ and line 157: if (pwd == NULL || salt == NULL) { _log_err(LOG_ALERT, "check pass; user unknown"); from getpwnam(3): "The getpwnam() and getpwuid() functions return a pointer to the passwd structure, or NULL if the matching entry is not found" Thus, if the user does not exist in /etc/passwd (but does exist in ldap), pwd will be NULL, causing the logging condition to occur. My intent is to start a dialog on this issue to determine if this is a valid criticism. If so, I would be happy to assist on creating a patch. Thanks, Jason Pepas _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
