search

archiecobbs / mod-authn-otp

Apache module for one-time password authentication
Apache License 2.0
63 stars 17 forks source link

Many authentication failure notices in logfile if OTPAuthFallThrough is on #25

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
If OTPAuthFallThrough is on, an authentication failure in mod-authn-otp is 
nothing special. The credentials are passed on to the next authentication 
provider which logs the final failure or eventually succeeds.

Apache Version 2.2 has a special "feature" that poses a little problem here:
As the apache documentation states: "When logging to a regular file messages of 
the level notice cannot be suppressed and thus are always logged. However, this 
doesn't apply when logging is done using syslog.". The authentication error 
messages of mod-authn-otp have a loglevel of notice and therefore are always 
logged. This way even a successful login, that was achieved via authentication 
fall through, generates a log message and pollutes the log.

The attached patch changes to loglevel of authentication failure messages that 
qualify for authentication fall trough to info if OTPAuthFallThrough is on. 
This way they can be masked by setting an appropriate loglevel within the 
apache config file. If the authentication fails the fall through authentication 
module will log the failure.

If OTPAuthFallThrough is off the loglevel stays at notice because in this 
situation the authentication failures must be logged by mod-authn-otp.

Original issue reported on code.google.com by phone.o.mat on 1 Dec 2013 at 5:34

Attachments:

GoogleCodeExporter commented 9 years ago 
Thanks, fixed in r145.

Original comment by archie.c...@gmail.com on 1 Dec 2013 at 6:52