diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c index 6a3e656035..65d1297139 100644 --- a/src/home/pam_systemd_home.c +++ b/src/home/pam_systemd_home.c @@ -91,6 +91,7 @@ static int parse_env( static int acquire_user_record( pam_handle_t *handle, const char *username, + bool debug, UserRecord **ret_record) { _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; @@ -147,12 +148,14 @@ static int acquire_user_record( r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username); if (r < 0) { if (bus_error_is_unknown_service(&error)) { - pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r)); + if (debug) + pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r)); goto user_unknown; } if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_HOME)) { - pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r)); + if (debug) + pam_syslog(handle, LOG_DEBUG, "Not a user managed by systemd-homed: %s", bus_error_message(&error, r)); goto user_unknown; } @@ -264,7 +267,8 @@ static int handle_generic_user_record_error( const char *user_name, UserRecord *secret, int ret, - const sd_bus_error *error) { + const sd_bus_error *error, + bool debug) { assert(user_name); assert(error); @@ -300,9 +304,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, - "Password request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Password request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_password(secret, STRV_MAKE(newp), true); if (r < 0) @@ -324,9 +330,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, - "Recovery key request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Recovery key request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_password(secret, STRV_MAKE(newp), true); if (r < 0) @@ -347,9 +355,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, - "Password request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Password request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_password(secret, STRV_MAKE(newp), true); @@ -365,8 +375,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -420,8 +433,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -437,8 +453,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -454,8 +473,11 @@ static int handle_generic_user_record_error( if (r != PAM_SUCCESS) return PAM_CONV_ERR; /* no logging here */ - if (isempty(newp)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "PIN request aborted."); + if (isempty(newp)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "PIN request aborted."); + return PAM_AUTHTOK_ERR; + } r = user_record_set_token_pin(secret, STRV_MAKE(newp), false); if (r < 0) @@ -517,7 +539,7 @@ static int acquire_home( if (r != PAM_SUCCESS) return r; - r = acquire_user_record(handle, username, &ur); + r = acquire_user_record(handle, username, debug, &ur); if (r != PAM_SUCCESS) return r; @@ -584,7 +606,7 @@ static int acquire_home( else if (sd_bus_error_has_name(&error, BUS_ERROR_HOME_LOCKED)) home_locked = true; /* Similar */ else { - r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error); + r = handle_generic_user_record_error(handle, ur->user_name, secret, r, &error, debug); if (r == PAM_CONV_ERR) { /* Password/PIN prompts will fail in certain environments, for example when * we are called from OpenSSH's account or session hooks, or in systemd's @@ -596,7 +618,8 @@ static int acquire_home( if (home_locked) (void) pam_prompt(handle, PAM_ERROR_MSG, NULL, "Home of user %s is currently locked, please unlock locally first.", ur->user_name); - pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt."); + if (please_authenticate || debug) + pam_syslog(handle, please_authenticate ? LOG_ERR : LOG_DEBUG, "Failed to prompt for password/prompt."); return home_not_active || home_locked ? PAM_PERM_DENIED : PAM_CONV_ERR; } @@ -836,7 +859,7 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt( if (r != PAM_SUCCESS) return r; - r = acquire_user_record(handle, NULL, &ur); + r = acquire_user_record(handle, NULL, debug, &ur); if (r != PAM_SUCCESS) return r; @@ -948,7 +971,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok( if (r != PAM_SUCCESS) return r; - r = acquire_user_record(handle, NULL, &ur); + r = acquire_user_record(handle, NULL, debug, &ur); if (r != PAM_SUCCESS) return r; @@ -969,8 +992,11 @@ _public_ PAM_EXTERN int pam_sm_chauthtok( if (r != PAM_SUCCESS) return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to get new password: @PAMERR@"); - if (isempty(new_password)) - return pam_syslog_pam_error(handle, LOG_DEBUG, PAM_AUTHTOK_ERR, "Password request aborted."); + if (isempty(new_password)) { + if (debug) + pam_syslog(handle, LOG_DEBUG, "Password request aborted."); + return PAM_AUTHTOK_ERR; + } r = pam_get_authtok_verify(handle, &new_password, "new password: "); /* Lower case, since PAM prefixes 'Repeat' */ if (r != PAM_SUCCESS) @@ -1025,7 +1051,7 @@ _public_ PAM_EXTERN int pam_sm_chauthtok( r = sd_bus_call(bus, m, HOME_SLOW_BUS_CALL_TIMEOUT_USEC, &error, NULL); if (r < 0) { - r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error); + r = handle_generic_user_record_error(handle, ur->user_name, old_secret, r, &error, debug); if (r == PAM_CONV_ERR) return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to prompt for password/prompt.");