Send bad password log to /var/log/syslog and include user info in the log (#10032)

Why I did it Desired the log message destination to be syslog and it misses the critical info. How I did it Non logical code changes only. Logging update, just for one message only a) The log message is directed to /var/log/syslog, instead of /var/log/auth.log b) Include user alias in the message How to verify it Pick a user alias that has not logged into the switch yet Add this alias to /etc/tacplus_user Attempt to login as that user Look for the error message in /var/log/syslog e.g. "Feb 18 19:16:41.592191 sonic ERR sshd[5233]: auth fail: Password incorrect. user: user_xyz"
2022-02-24 15:26:56 -08:00 · 2022-02-24 15:26:56 -08:00 · 39d47f2ea4
commit 39d47f2ea4
parent 9e51fada45
1 changed files with 4 additions and 4 deletions
--- a/src/tacacs/pam/0007-handle-bad-password-set-by-sshd.patch
+++ b/src/tacacs/pam/0007-handle-bad-password-set-by-sshd.patch
@ -1,6 +1,6 @@
-From f2687e7a442c83e19190695021fb9a60fe07ba60 Mon Sep 17 00:00:00 2001
+From 4ef102dfa137c2c6e3dd63c2d16f2966b6f5add8 Mon Sep 17 00:00:00 2001
 From: Renuka Manavalan <remanava@microsoft.com>
-Date: Wed, 17 Nov 2021 02:31:45 +0000
+Date: Fri, 18 Feb 2022 22:07:24 +0000
 Subject: [PATCH] handle bad password set by sshd

 ---
@ -11,7 +11,7 @@ Subject: [PATCH] handle bad password set by sshd
 4 files changed, 49 insertions(+), 4 deletions(-)

 diff --git a/pam_tacplus.c b/pam_tacplus.c
-index ec8ea27..014421b 100644
+index ec8ea27..2421874 100644
 --- a/pam_tacplus.c
 +++ b/pam_tacplus.c
@@ -251,6 +251,13 @@ int pam_sm_authenticate (pam_handle_t * pamh, int flags,
@ -19,7 +19,7 @@ index ec8ea27..014421b 100644
     }
 
 +    if (validate_not_sshd_bad_pass(pass) != PAM_SUCCESS) {
-+        syslog(LOG_ERR, "auth fail: Password incorrect");
+        syslog(LOG_LOCAL0|LOG_ERR, "auth fail: Password incorrect. user: %s", user);
 +        memset(pass, 0, strlen (pass));
 +        free(pass);
 +        return PAM_AUTH_ERR;