NetBSD doesn't currently log successful password changes or unsuccessful
attempts to change passwords. Sometimes IT rules require this, and it
seems to be of general interest when running a tight ship. Password
changes are rare, so this is hardly log noise compared to every ssh
connection and login.
Richard Hansen (also of BBN) wrote the following patch. I've compiled
it on netbsd-5 on several arches and tested on i386. It applied to
current cleanly and built find for amd64.
I'd like to commit this. Any objections or encouragement?
Index: usr.bin/passwd/local_passwd.c
===================================================================
RCS file: /cvsroot/src/usr.bin/passwd/local_passwd.c,v
retrieving revision 1.33
diff -u -p -r1.33 local_passwd.c
--- usr.bin/passwd/local_passwd.c 17 Apr 2009 20:25:08 -0000 1.33
+++ usr.bin/passwd/local_passwd.c 26 Feb 2010 16:41:04 -0000
@@ -53,6 +53,7 @@ __RCSID("$NetBSD: local_passwd.c,v 1.33
#include <unistd.h>
#include <util.h>
#include <login_cap.h>
+#include <syslog.h>
#include "extern.h"
@@ -72,6 +73,10 @@ getnewpasswd(struct passwd *pw, int min_
strcmp(crypt(getpass("Old password:"), pw->pw_passwd),
pw->pw_passwd)) {
errno = EACCES;
+ syslog(LOG_AUTH | LOG_NOTICE,
+ "user %s (UID %lu) failed to change the "
+ "local password of user %s: %m",
+ pw->pw_name, (unsigned long)uid, pw->pw_name);
pw_error(NULL, 1, 1);
}
@@ -213,6 +218,11 @@ pwlocal_process(const char *username, in
if (pw_mkdb(username, old_change == pw->pw_change) < 0)
pw_error((char *)NULL, 0, 1);
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "user %s (UID %lu) successfully changed "
+ "the local password of user %s",
+ uid ? username : "root", (unsigned long)uid, username);
}
#else /* ! USE_PAM */
@@ -319,6 +329,12 @@ local_chpw(uname)
if (pw_mkdb(uname, old_change == pw->pw_change) < 0)
pw_error((char *)NULL, 0, 1);
+
+ syslog(LOG_AUTH | LOG_INFO,
+ "user %s (UID %lu) successfully changed "
+ "the local password of user %s",
+ uid ? uname : "root", (unsigned long)uid, uname);
+
return (0);
}
Index: usr.bin/passwd/pam_passwd.c
===================================================================
RCS file: /cvsroot/src/usr.bin/passwd/pam_passwd.c,v
retrieving revision 1.4
diff -u -p -r1.4 pam_passwd.c
--- usr.bin/passwd/pam_passwd.c 6 May 2007 09:19:44 -0000 1.4
+++ usr.bin/passwd/pam_passwd.c 26 Feb 2010 16:41:04 -0000
@@ -75,6 +75,12 @@ pwpam_process(const char *username, int
int ch, pam_err;
char hostname[MAXHOSTNAMELEN + 1];
+ /* details about the invoking user for logging */
+ const uid_t i_uid = getuid();
+ const struct passwd *const i_pwd = getpwuid(i_uid);
+ const char *const i_username = (i_pwd && i_pwd->pw_name)
+ ? i_pwd->pw_name : "(null)";
+
while ((ch = getopt(argc, argv, "")) != -1) {
switch (ch) {
default:
@@ -116,9 +122,22 @@ pwpam_process(const char *username, int
/* set new password */
pam_err = pam_chauthtok(pamh, 0);
- if (pam_err != PAM_SUCCESS)
+ if (pam_err != PAM_SUCCESS) {
+ if (pam_err == PAM_PERM_DENIED) {
+ syslog(LOG_AUTH | LOG_NOTICE,
+ "user %s (UID %lu) failed to change the "
+ "PAM authentication token of user %s: %s",
+ i_username, (unsigned long)i_uid, username,
+ pam_strerror(pamh, pam_err));
+ }
printf("Unable to change auth token: %s\n",
pam_strerror(pamh, pam_err));
+ } else {
+ syslog(LOG_AUTH | LOG_INFO,
+ "user %s (UID %lu) successfully changed the "
+ "PAM authentication token of user %s",
+ i_username, (unsigned long)i_uid, username);
+ }
end:
pam_end(pamh, pam_err);
Attachment:
pgpgv5isiaBuA.pgp
Description: PGP signature