Date: Sat, 31 Mar 2001 22:17:31 +0400 (MSD) From: "Ilmar S. Habibulin" <ilmar@ints.ru> To: <security@freebsd.org> Subject: pam_unix logging patch Message-ID: <Pine.BSF.4.33.0103312205530.89026-200000@ws-ilmar.ints.ru>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Here is a patch for log user logins and logouts, that i made in 15 minutes
while studying login&PAM. Why not to use LOG_AUTH and pam_system_log()
with other usefull pam functions to log different events?
And i don't understand why not to move half of login stuff to pam modules,
or even use only pam without ifdefs?
PS. patch is against -current.
[-- Attachment #2 --]
--- pam_unix.c Sat May 8 05:59:27 1999
+++ pam_tunix.c Sat Mar 31 22:03:47 2001
@@ -37,6 +37,8 @@
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+
#include <security/pam_modules.h>
#include "pam_mod_misc.h"
@@ -158,6 +160,95 @@
}
login_close(lc);
+ return retval;
+}
+
+/*
+#define OPEN_SESSION_LOG "\
+service: %s\n\
+user : %s\n\
+tty : %s\n\
+host : %s\n"
+*/
+
+#define OPEN_SESSION_LOG "login user %s on %s from %s"
+/* ^ ^ ^
+ | | |
+ | | +- hostname
+ | +- tty
+ +- user name
+*/
+#define CLOSE_SESSION_LOG "logout user %s on %s from %s"
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ const char *user;
+ const char *service;
+ const char *tty;
+ const char *rhost;
+ int retval;
+
+ retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
+ if (retval != PAM_SUCCESS || user == NULL)
+ return PAM_USER_UNKNOWN;
+
+ retval = pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
+ if (retval != PAM_SUCCESS || service == NULL)
+ return PAM_SERVICE_ERR;
+
+ retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+ if (retval != PAM_SUCCESS || tty == NULL)
+ return PAM_SERVICE_ERR;
+
+ retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
+ if (retval != PAM_SUCCESS)
+ return PAM_SERVICE_ERR;
+/*
+ printf("pam_sm_open_session() uid=%d\n", getuid());
+*/
+ pam_system_log(pamh, NULL, LOG_AUTH|LOG_INFO,
+ OPEN_SESSION_LOG, user, tty,
+ rhost ? rhost : "localhost");
+ retval = PAM_SUCCESS;
+ return retval;
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ const char *user;
+ const char *service;
+ const char *tty;
+ const char *rhost;
+ int retval;
+
+ retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
+ if (retval != PAM_SUCCESS || user == NULL)
+ /* some implementations return PAM_SUCCESS here */
+ return PAM_USER_UNKNOWN;
+
+ retval = pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
+ if (retval != PAM_SUCCESS || service == NULL)
+ return PAM_SERVICE_ERR;
+
+ retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+ if (retval != PAM_SUCCESS || tty == NULL)
+ return PAM_SERVICE_ERR;
+
+ retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
+ if (retval != PAM_SUCCESS)
+ return PAM_SERVICE_ERR;
+
+ pam_system_log(pamh, NULL, LOG_AUTH|LOG_INFO,
+ CLOSE_SESSION_LOG, user, tty,
+ rhost ? rhost : "localhost");
+/*
+ printf("pam_sm_close_session for user %s, uid %d\n", user, getuid());
+*/
+ retval = PAM_SUCCESS;
return retval;
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0103312205530.89026-200000>