Relevant BUGIDs: Red Hat bz 120694

Purpose of commit: bugfix

Commit summary:
---------------
skip logging of 'user unknown' authentication failure if the user
has passwd entry

diff --git a/CHANGELOG b/CHANGELOG
index d44bf77d38680fcdecb61ce4679bd0880925dc15..48029a8824a081ae9989ae99c3abc233e61f3e21 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -62,7 +62,8 @@ BerliOS Bugs are marked with (BerliOS #XXXX).
 
 0.79: please submit patches for this section with actual code/doc
       patches!
-
+* pam_unix: don't log user unknown failure when he can be properly
+  authenticated by another module
 
 0.78: Do Nov 18 14:48:36 CET 2004
 

diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 5138a875492c0637ce2d2c4e24ff70575754d745..cf01e3c21c39dcd1e293cecb106fde40176a43fc 100644 (file)
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -698,6 +698,8 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                        }
                } else {
                        D(("user's record unavailable"));
+                       p = NULL;
+                       retval = PAM_AUTHINFO_UNAVAIL;
                        if (on(UNIX_AUDIT, ctrl)) {
                                /* this might be a typo and the user has given a password
                                   instead of a username. Careful with this. */
@@ -705,11 +707,14 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                                         "check pass; user (%s) unknown", name);
                        } else {
                                name = NULL;
-                               _log_err(LOG_ALERT, pamh,
-                                        "check pass; user unknown");
+                               if (on(UNIX_DEBUG, ctrl) || pwd == NULL) {
+                                   _log_err(LOG_ALERT, pamh,
+                                           "check pass; user unknown");
+                               } else {
+                                   /* don't log failure as another pam module can succeed */
+                                   goto cleanup;
+                               }
                        }
-                       p = NULL;
-                       retval = PAM_AUTHINFO_UNAVAIL;
                }
        } else {
            int salt_len = strlen(salt);
@@ -831,6 +836,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
                }
        }
 
+cleanup:
        if (data_name)
                _pam_delete(data_name);
        if (salt)