Add a 'quiet_fail' option to pam_sso to suppress auth failure logs

Validation error details are also moved behind the 'debug' option,
in order to reduce noise.

src/pam_sso/pam_sso.c

@@ -27,6 +27,7 @@
 #include <stdio.h>
 #include <syslog.h>
 #include <unistd.h>
+#include <errno.h>
 #include <fcntl.h>
 #include "pam_sso.h"
 
@@ -53,13 +54,15 @@ static void free_config(struct pam_sso_config *cfg) {
   }
 }
 
-static void parse_config(struct pam_sso_config *cfg, int argc, const char **argv) {
+static int parse_config(pam_handle_t *pamh, struct pam_sso_config *cfg, int argc, const char **argv) {
   for (const char **argp = argv; argc--; argp++) {
     const char *arg = *argp;
     if (!strcmp(arg, "debug")) {
       cfg->debug = 1;
     } else if (!strcmp(arg, "use_first_pass")) {
       cfg->use_first_pass = 1;
+    } else if (!strcmp(arg, "quiet_fail")) {
+      cfg->quiet_fail = 1;
     } else if (!strncmp(arg, "login_server=", 12)) {
       cfg->login_server = arg + 12;
     } else if (!strncmp(arg, "domain=", 7)) {
@@ -72,16 +75,27 @@ static void parse_config(struct pam_sso_config *cfg, int argc, const char **argv
       } else {
         cfg->required_groups = (const char **)realloc(cfg->required_groups, sizeof(char*)*(cfg->n_required_groups + 2));
       }
+      if (cfg->required_groups == NULL) {
+        pam_syslog(pamh, LOG_ERR, "out of memory");
+        return -1;
+      }
       cfg->required_groups[cfg->n_required_groups] = arg + 6;
       cfg->required_groups[cfg->n_required_groups + 1] = NULL;
       cfg->n_required_groups++;
     } else if (!strncmp(arg, "key=", 4)) {
       unsigned char *pk = (unsigned char *)malloc(SSO_PUBLIC_KEY_SIZE);
-      if (read_from_file(arg + 4, pk, SSO_PUBLIC_KEY_SIZE) == 0) {
-        cfg->public_key = pk;
+      if (pk == NULL) {
+        pam_syslog(pamh, LOG_ERR, "out of memory");
+        return -1;
+      }        
+      if (read_from_file(arg + 4, pk, SSO_PUBLIC_KEY_SIZE) < 0) {
+        pam_syslog(pamh, LOG_ERR, "error loading public key file: %s", strerror(errno));
+        return -1;
       }
+      cfg->public_key = pk;
     }
   }
+  return 0;
 }
 
 static int authenticate(pam_handle_t *pamh,
@@ -99,7 +113,9 @@ static int authenticate(pam_handle_t *pamh,
 
   r = sso_ticket_open(&t, ticket_string, cfg->public_key);
   if (r != SSO_OK) {
+    if (cfg->debug) {
       pam_syslog(pamh, LOG_INFO, "error decoding ticket: %s", sso_strerror(r));
+    }
     return 0;
   }
 
@@ -110,11 +126,15 @@ static int authenticate(pam_handle_t *pamh,
     if (!strcmp(t->user, username)) {
       retval = 1;
     } else {
+      if (cfg->debug) {
         pam_syslog(pamh, LOG_INFO, "user in ticket does not match request (%s vs %s)", t->user, username);
       }
+    }
   } else {
+    if (cfg->debug) {
       pam_syslog(pamh, LOG_INFO, "error validating ticket: %s", sso_strerror(r));
     }
+  }
 
   sso_ticket_free(t);
   return retval;
@@ -126,7 +146,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar
   const char *user = NULL, *password = NULL;
 
   // Parse configuration.
-  parse_config(&cfg, argc, argv);
+  if (parse_config(pamh, &cfg, argc, argv) < 0) {
+    return PAM_SERVICE_ERR;
+  }
 
   // Retrieve user from PAM.
   if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) {
@@ -162,7 +184,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **ar
 
   // Authenticate.
   if (!authenticate(pamh, &cfg, user, password)) {
+    if (!cfg.quiet_fail) {
       pam_syslog(pamh, LOG_ERR, "authentication failed");
+    }
     goto error;
   }
 

src/pam_sso/pam_sso.h

@@ -67,6 +67,7 @@ struct pam_sso_config {
   int n_required_groups;
   int debug;
   int use_first_pass;
+  int quiet_fail;
 };
 
 /**