I have patched in a quiet_unknown flag for pam_succeed_if which avoids logging when the user is unknown (right be before PAM_USER_UNKNOWN is returned). The regenerations mentioned in the ChangeLog will need to be done. dc
diff -ru Linux-PAM-1.1.1/ChangeLog quieter/ChangeLog --- Linux-PAM-1.1.1/ChangeLog 2009-12-16 08:16:41.000000000 -0500 +++ quieter/ChangeLog 2009-12-17 21:17:59.000000000 -0500 @@ -1,3 +1,10 @@ + * modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Add + quiet_unknown flag to avoid logging "error retrieving information about + user", included in quiet flag. + * modules/pam_succeed_if/pam_succeed_if.8.xml: Document quiet_unknown + * modules/pam_succeed_if/pam_succeed_if.8: Regenerated from xml. + * modules/pam_succeed_if/README: Regenerated from xml. + 2009-12-16 Thorsten Kukuk <kukuk@xxxxxxx> * release version 1.1.1 diff -ru Linux-PAM-1.1.1/modules/pam_succeed_if/pam_succeed_if.8.xml quieter/modules/pam_succeed_if/pam_succeed_if.8.xml --- Linux-PAM-1.1.1/modules/pam_succeed_if/pam_succeed_if.8.xml 2009-06-16 03:35:09.000000000 -0400 +++ quieter/modules/pam_succeed_if/pam_succeed_if.8.xml 2009-12-17 20:51:32.000000000 -0500 @@ -69,7 +69,7 @@ <varlistentry> <term><option>quiet</option></term> <listitem> - <para>Don't log failure or success to the system log.</para> + <para>Don't log failure, success, or unknown user to the system log.</para> </listitem> </varlistentry> <varlistentry> @@ -88,6 +88,14 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term><option>quiet_unknown</option></term> + <listitem> + <para> + Don't log unknown user to the system log. + </para> + </listitem> + </varlistentry> </variablelist> <para> diff -ru Linux-PAM-1.1.1/modules/pam_succeed_if/pam_succeed_if.c quieter/modules/pam_succeed_if/pam_succeed_if.c --- Linux-PAM-1.1.1/modules/pam_succeed_if/pam_succeed_if.c 2009-05-05 08:50:16.000000000 -0400 +++ quieter/modules/pam_succeed_if/pam_succeed_if.c 2009-12-17 20:47:39.000000000 -0500 @@ -383,7 +383,7 @@ struct passwd *pwd; int ret, i, count, use_uid, debug; const char *left, *right, *qual; - int quiet_fail, quiet_succ; + int quiet_fail, quiet_succ, quiet_unkn; /* Get the user prompt. */ ret = pam_get_item(pamh, PAM_USER_PROMPT, &prompt); @@ -393,6 +393,7 @@ quiet_fail = 0; quiet_succ = 0; + quiet_unkn = 0; for (use_uid = 0, debug = 0, i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; @@ -403,6 +404,7 @@ if (strcmp(argv[i], "quiet") == 0) { quiet_fail++; quiet_succ++; + quiet_unkn++; } if (strcmp(argv[i], "quiet_fail") == 0) { quiet_fail++; @@ -410,15 +412,19 @@ if (strcmp(argv[i], "quiet_success") == 0) { quiet_succ++; } + if (strcmp(argv[i], "quiet_unknown") == 0) { + quiet_unkn++; + } } if (use_uid) { /* Get information about the user. */ pwd = pam_modutil_getpwuid(pamh, getuid()); if (pwd == NULL) { - pam_syslog(pamh, LOG_CRIT, - "error retrieving information about user %lu", - (unsigned long)getuid()); + if(!quiet_unkn) + pam_syslog(pamh, LOG_CRIT, + "error retrieving information about user %lu", + (unsigned long)getuid()); return PAM_USER_UNKNOWN; } user = pwd->pw_name; @@ -435,9 +441,10 @@ /* Get information about the user. */ pwd = pam_modutil_getpwnam(pamh, user); if (pwd == NULL) { - pam_syslog(pamh, LOG_CRIT, - "error retrieving information about user %s", - user); + if(!quiet_unkn) + pam_syslog(pamh, LOG_CRIT, + "error retrieving information about user %s", + user); return PAM_USER_UNKNOWN; } } @@ -461,6 +468,9 @@ if (strcmp(argv[i], "quiet_success") == 0) { continue; } + if (strcmp(argv[i], "quiet_unknown") == 0) { + continue; + } if (left == NULL) { left = argv[i]; continue;
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list