PAM error text can be configured

4 files changed, 70 insertions, 1 deletions

diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini
index f500f63f..d4a99dfb 100644
--- a/xrdp/xrdp.ini
+++ b/xrdp/xrdp.ini
@@ -25,6 +25,8 @@ tcp_keepalive=yes
 #autorun=xrdp1
 #hidelogwindow=yes
 #bulk_compression=yes
+# You can set the PAM error text in a gateway setup (MAX 256 chars)
+#pamerrortxt=change your password according to policy at http://url
 
 [Logging]
 LogFile=xrdp.log
diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c
index 0f2fae2a..28b83ad0 100644
--- a/xrdp/xrdp_mm.c
+++ b/xrdp/xrdp_mm.c
@@ -1204,7 +1204,7 @@ const char *getPAMError(const int pamError)
 {      
     switch(pamError){
 	case PAM_SUCCESS:
-	return "Success";    
+	    return "Success";    
 	case PAM_OPEN_ERR:
 	    return "dlopen() failure";
 	case PAM_SYMBOL_ERR:
@@ -1274,6 +1274,58 @@ const char *getPAMError(const int pamError)
     }
     
 }
+
+const char *getPAMAdditionalErrorInfo(const int pamError,struct xrdp_mm *self)
+{      
+    switch(pamError){
+	case PAM_SUCCESS:
+	    return NULL;    
+	case PAM_OPEN_ERR:	    
+	case PAM_SYMBOL_ERR:	    
+	case PAM_SERVICE_ERR:	    
+	case PAM_SYSTEM_ERR:	    
+	case PAM_BUF_ERR:	    
+	case PAM_PERM_DENIED:	    
+	case PAM_AUTH_ERR:	    
+	case PAM_CRED_INSUFFICIENT:	    
+	case PAM_AUTHINFO_UNAVAIL:	    
+	case PAM_USER_UNKNOWN:
+	case PAM_CRED_UNAVAIL:
+	case PAM_CRED_ERR:	    
+	case PAM_NO_MODULE_DATA:	    
+	case PAM_BAD_ITEM:	    
+	case PAM_CONV_ERR:	    
+	case PAM_AUTHTOK_ERR:	     
+	case PAM_AUTHTOK_LOCK_BUSY:	    
+	case PAM_AUTHTOK_DISABLE_AGING:	    
+	case PAM_TRY_AGAIN:	    
+	case PAM_IGNORE:	    
+	case PAM_MODULE_UNKNOWN:	    
+	case PAM_CONV_AGAIN:
+	case PAM_INCOMPLETE:	       
+	case _PAM_RETURN_VALUES+1:	    
+	case _PAM_RETURN_VALUES+3:	    
+            return NULL;
+	case PAM_MAXTRIES:	    
+	case PAM_NEW_AUTHTOK_REQD:	    
+	case PAM_ACCT_EXPIRED:	 
+	case PAM_CRED_EXPIRED:	
+	case PAM_AUTHTOK_EXPIRED:	
+	    if(self->wm->pamerrortxt[0])
+	    {		
+	        return self->wm->pamerrortxt;
+	    }
+	    else
+	    {
+		return "Authentication error - Verify that user/password is valid ";
+	    }
+	default:{	   
+	    return "No expected error" ;
+	}
+	
+    }
+    
+}
 #endif
 /*****************************************************************************/
 int APP_CC
@@ -1368,6 +1420,7 @@ xrdp_mm_connect(struct xrdp_mm *self)
     {
         int reply;
         char replytxt[80];
+        char *additionalError;
         xrdp_wm_log_msg(self->wm, "Please wait, we now perform access control...");
 
         /* g_writeln("we use pam modules to check if we can approve this user"); */
@@ -1390,6 +1443,14 @@ xrdp_mm_connect(struct xrdp_mm *self)
 
         xrdp_wm_log_msg(self->wm, replytxt);
         log_message(LOG_LEVEL_INFO, replytxt);
+        additionalError = getPAMAdditionalErrorInfo(reply,self);
+        if(additionalError)
+        {
+            if(additionalError[0])
+            {
+                xrdp_wm_log_msg(self->wm,additionalError);
+            }
+        }
 
         if (reply != 0)
         {
diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h
index fdaed059..d99dced9 100644
--- a/xrdp/xrdp_types.h
+++ b/xrdp/xrdp_types.h
@@ -316,6 +316,7 @@ struct xrdp_wm
   int hints;
   int allowedchannels[MAX_NR_CHANNELS];
   int allowedinitialized ;
+  char pamerrortxt[256];
 };
 
 /* rdp process */
diff --git a/xrdp/xrdp_wm.c b/xrdp/xrdp_wm.c
index 27a794a0..e779d641 100644
--- a/xrdp/xrdp_wm.c
+++ b/xrdp/xrdp_wm.c
@@ -452,6 +452,11 @@ xrdp_wm_load_static_colors_plus(struct xrdp_wm *self, char *autorun_name)
                             self->hide_log_window = 1;
                         }
                     }
+                    else if (g_strcasecmp(val, "pamerrortxt") == 0)
+                    {
+                        val = (char *)list_get_item(values, index);
+                        g_strncpy(self->pamerrortxt,val,256);
+                    }
                 }
             }
         }