From: Timo Sirainen <tss@iki.fi>
Date: Wed, 16 Nov 2011 16:15:46 +0000 (+0200)
Subject: login: Improved auth failed log messages.
X-Git-Tag: 2.1.rc1~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28dae6a0064e79f86da091625b0f2b92336a2a91;p=thirdparty%2Fdovecot%2Fcore.git

login: Improved auth failed log messages.
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 0381fa80a5..f3df4e8cdc 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -504,6 +504,9 @@ bool client_is_trusted(struct client *client)
 
 const char *client_get_extra_disconnect_reason(struct client *client)
 {
+	unsigned int auth_secs = client->auth_first_started == 0 ? 0 :
+		ioloop_time - client->auth_first_started;
+
 	if (client->set->auth_ssl_require_client_cert &&
 	    client->ssl_proxy != NULL) {
 		if (ssl_proxy_has_broken_client_cert(client->ssl_proxy))
@@ -512,8 +515,10 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 			return "(client didn't send a cert)";
 	}
 
-	if (client->auth_attempts == 0)
-		return "(no auth attempts)";
+	if (client->auth_attempts == 0) {
+		return t_strdup_printf("(no auth attempts in %u secs)",
+			(unsigned int)(ioloop_time - client->created));
+	}
 
 	/* some auth attempts without SSL/TLS */
 	if (client->auth_tried_disabled_plaintext)
@@ -523,8 +528,14 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 		return "(cert required, client didn't start TLS)";
 	if (client->auth_tried_unsupported_mech)
 		return "(tried to use unsupported auth mechanism)";
-	if (client->auth_request != NULL && client->auth_attempts == 1)
-		return "(disconnected while authenticating)";
+	if (client->auth_request != NULL && client->auth_attempts == 1) {
+		return t_strdup_printf("(disconnected while authenticating, "
+				       "waited %u secs)", auth_secs);
+	}
+	if (client->authenticating && client->auth_attempts == 1) {
+		return t_strdup_printf("(disconnected while finishing login, "
+				       "waited %u secs)", auth_secs);
+	}
 	if (client->auth_try_aborted && client->auth_attempts == 1)
 		return "(aborted authentication)";
 
@@ -532,8 +543,8 @@ const char *client_get_extra_disconnect_reason(struct client *client)
 		return t_strdup_printf("(internal failure, %u succesful auths)",
 				       client->auth_successes);
 	}
-	return t_strdup_printf("(auth failed, %u attempts)",
-			       client->auth_attempts);
+	return t_strdup_printf("(auth failed, %u attempts in %u secs)",
+			       client->auth_attempts, auth_secs);
 }
 
 void client_send_line(struct client *client, enum client_cmd_reply reply,
diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index 4b7727a1f2..3d8b2cb0c5 100644
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -100,6 +100,7 @@ struct client {
 	char *auth_mech_name;
 	struct auth_client_request *auth_request;
 	string_t *auth_response;
+	time_t auth_first_started;
 
 	unsigned int master_auth_id;
 	unsigned int master_tag;
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index a8d6584be3..ab113a57f6 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -4,6 +4,7 @@
 #include "base64.h"
 #include "buffer.h"
 #include "hex-binary.h"
+#include "ioloop.h"
 #include "istream.h"
 #include "write-full.h"
 #include "strescape.h"
@@ -277,6 +278,8 @@ void sasl_server_auth_begin(struct client *client,
 
 	client->auth_attempts++;
 	client->authenticating = TRUE;
+	if (client->auth_first_started == 0)
+		client->auth_first_started = ioloop_time;
 	i_free(client->auth_mech_name);
 	client->auth_mech_name = str_ucase(i_strdup(mech_name));
 	client->sasl_callback = callback;