pam_unix: Add logging useful for debugging problems

Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.

The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.

* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
  D() macro calls which are not enabled on production builds with
  regular pam_syslog() calls.

diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index 681e49db9a8b8a96d922fa192f388b72555114ca..3fca94521f6b480fb6449a10a4071aab660e7346 100644 (file)
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -130,15 +130,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
                        AUTH_RETURN;
                }
                if (on(UNIX_DEBUG, ctrl))
-                       D(("username [%s] obtained", name));
+                       pam_syslog(pamh, LOG_DEBUG, "username [%s] obtained", name);
        } else {
-               D(("trouble reading username"));
                if (retval == PAM_CONV_AGAIN) {
                        D(("pam_get_user/conv() function is not ready yet"));
                        /* it is safe to resume this function so we translate this
                         * retval to the value that indicates we're happy to resume.
                         */
                        retval = PAM_INCOMPLETE;
+               } else if (on(UNIX_DEBUG, ctrl)) {
+                       pam_syslog(pamh, LOG_DEBUG, "could not obtain username");
                }
                AUTH_RETURN;
        }
@@ -146,7 +147,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
        /* if this user does not have a password... */
 
        if (_unix_blankpasswd(pamh, ctrl, name)) {
-               D(("user '%s' has blank passwd", name));
+               pam_syslog(pamh, LOG_DEBUG, "user [%s] has blank password; authenticated without it", name);
                name = NULL;
                retval = PAM_SUCCESS;
                AUTH_RETURN;