X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7c9a94f70a895d5293ebdb5953518e417d173191..d43d242b4e55533c08f9526d88b0e3a9d8fd120e:/lib/pam/pam_arvados.go

diff --git a/lib/pam/pam_arvados.go b/lib/pam/pam_arvados.go
index 48e0f50485..ee967af6cc 100644
--- a/lib/pam/pam_arvados.go
+++ b/lib/pam/pam_arvados.go
@@ -24,6 +24,7 @@ package main
 import (
 	"io/ioutil"
 	"log/syslog"
+	"os"
 
 	"context"
 	"errors"
@@ -55,6 +56,11 @@ func init() {
 	}
 }
 
+//export pam_sm_setcred
+func pam_sm_setcred(pamh *C.pam_handle_t, flags, cArgc C.int, cArgv **C.char) C.int {
+	return C.PAM_IGNORE
+}
+
 //export pam_sm_authenticate
 func pam_sm_authenticate(pamh *C.pam_handle_t, flags, cArgc C.int, cArgv **C.char) C.int {
 	runtime.GOMAXPROCS(1)
@@ -96,11 +102,19 @@ func authenticate(logger *logrus.Logger, username, token string, argv []string)
 		} else if arg == "debug" {
 			logger.SetLevel(logrus.DebugLevel)
 		} else {
-			logger.Warnf("unkown option: %s\n", arg)
+			logger.Warnf("unknown option: %s\n", arg)
 		}
 	}
+	if hostname == "" || hostname == "-" {
+		h, err := os.Hostname()
+		if err != nil {
+			logger.WithError(err).Warnf("cannot get hostname -- try using an explicit hostname in pam config")
+			return fmt.Errorf("cannot get hostname: %w", err)
+		}
+		hostname = h
+	}
 	logger.Debugf("username=%q arvados_api_host=%q hostname=%q insecure=%t", username, apiHost, hostname, insecure)
-	if apiHost == "" || hostname == "" {
+	if apiHost == "" {
 		logger.Warnf("cannot authenticate: config error: arvados_api_host and hostname must be non-empty")
 		return errors.New("config error")
 	}
@@ -123,7 +137,11 @@ func authenticate(logger *logrus.Logger, username, token string, argv []string)
 		return err
 	}
 	if len(vms.Items) == 0 {
-		return fmt.Errorf("no results for hostname %q", hostname)
+		// It's possible there is no VM entry for the
+		// configured hostname, but typically this just means
+		// the user does not have permission to see (let alone
+		// log in to) this VM.
+		return errors.New("permission denied")
 	} else if len(vms.Items) > 1 {
 		return fmt.Errorf("multiple results for hostname %q", hostname)
 	} else if vms.Items[0].Hostname != hostname {