From d34d2bb7526e0b26e8ec974648e2e69824677326 Mon Sep 17 00:00:00 2001
From: Clement Bouvet <clement@cbouvet.fr>
Date: Fri, 26 Jun 2026 10:31:25 +0200
Subject: [PATCH] fix(pam_auth): add logs

---
 src/auth/pam_authenticator.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/auth/pam_authenticator.cpp b/src/auth/pam_authenticator.cpp
index 237ba9d703..a816bf7ed8 100644
--- a/src/auth/pam_authenticator.cpp
+++ b/src/auth/pam_authenticator.cpp
@@ -1,5 +1,6 @@
 #include "auth/pam_authenticator.h"
 
+#include "core/log.h"
 #include "i18n/i18n.h"
 
 #include <algorithm>
@@ -17,6 +18,8 @@
 
 namespace {
 
+  constexpr Logger kLog("pam");
+
   constexpr std::size_t kMaxPamMessageBytes = 4096;
 
   void secureClear(std::string& value) {
@@ -188,18 +191,25 @@ namespace {
         .appdata_ptr = &convData,
     };
 
+    kLog.debug("authenticating user='{}' service='{}'", user, service);
+
     PamHandle pamh;
     const int startRc = pam_start(service.data(), user.c_str(), &conv, &pamh.h);
     if (startRc != PAM_SUCCESS || pamh.h == nullptr) {
+      kLog.error(
+          "pam_start failed rc={} ({})", startRc, pamh.h != nullptr ? pam_strerror(pamh.h, startRc) : "no handle"
+      );
       secureClear(passwordCopy);
       return PamAuthenticator::Result{.success = false, .message = i18n::tr("auth.pam.start-failed")};
     }
 
     int rc = pam_authenticate(pamh.h, 0);
+    kLog.debug("pam_authenticate rc={} ({})", rc, pam_strerror(pamh.h, rc));
     if (rc == PAM_SUCCESS) {
       // An unprivileged locker can't read /etc/shadow for the account stack, so
       // ignore PAM_AUTHINFO_UNAVAIL; pam_authenticate already proved identity.
       const int acctRc = pam_acct_mgmt(pamh.h, 0);
+      kLog.debug("pam_acct_mgmt rc={} ({})", acctRc, pam_strerror(pamh.h, acctRc));
       if (acctRc != PAM_SUCCESS && acctRc != PAM_AUTHINFO_UNAVAIL) {
         rc = acctRc;
       }
@@ -211,9 +221,11 @@ namespace {
     secureClear(passwordCopy);
 
     if (rc == PAM_SUCCESS) {
+      kLog.debug("authentication succeeded for user='{}'", user);
       return PamAuthenticator::Result{.success = true, .message = {}};
     }
 
+    kLog.warn("authentication failed for user='{}' rc={} ({})", user, rc, errStr);
     return PamAuthenticator::Result{.success = false, .message = errStr};
   }