diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in

--- Linux-PAM-1.1.1/configure.in.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/configure.in	2010-09-17 15:58:41.000000000 +0200

@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil

 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \

         modules/pam_debug/Makefile modules/pam_deny/Makefile \

 	modules/pam_echo/Makefile modules/pam_env/Makefile \

-	modules/pam_faildelay/Makefile \

+	modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \

 	modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \

 	modules/pam_ftp/Makefile modules/pam_group/Makefile \

 	modules/pam_issue/Makefile modules/pam_keyinit/Makefile \

diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml

--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock	2010-09-17 16:05:56.000000000 +0200

+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml	2010-09-17 16:08:26.000000000 +0200

@@ -0,0 +1,38 @@

+

+

+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">

+<section id='sag-pam_faillock'>

+  <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>

+  <cmdsynopsis>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>

+  </cmdsynopsis>

+  <cmdsynopsis>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>

+  </cmdsynopsis>

+  <section id='sag-pam_faillock-description'>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>

+  </section>

+  <section id='sag-pam_faillock-options'>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>

+  </section>

+  <section id='sag-pam_faillock-types'>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>

+  </section>

+  <section id='sag-pam_faillock-return_values'>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>

+  </section>

+  <section id='sag-pam_faillock-examples'>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>

+  </section>

+  <section id='sag-pam_faillock-author'>

+    

+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>

+  </section>

+</section>

diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am

--- Linux-PAM-1.1.1/modules/Makefile.am.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/Makefile.am	2010-09-17 15:58:41.000000000 +0200

@@ -3,7 +3,7 @@

 #

 SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \

-	pam_chroot pam_console pam_postgresok \

+	pam_chroot pam_console pam_postgresok pam_faillock \

 	pam_env pam_exec pam_faildelay pam_filter pam_ftp \

 	pam_group pam_issue pam_keyinit pam_lastlog pam_limits \

 	pam_listfile pam_localuser pam_loginuid pam_mail \

diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c

--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c	2010-09-17 15:58:41.000000000 +0200

@@ -0,0 +1,147 @@

+/*

+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * the GNU Public License, in which case the provisions of the GPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the GPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+#include "config.h"

+#include <string.h>

+#include <stdlib.h>

+#include <unistd.h>

+#include <errno.h>

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <sys/file.h>

+#include <fcntl.h>

+#include <security/pam_modutil.h>

+

+#include "faillock.h"

+

+int

+open_tally (const char *dir, const char *user, int create)

+{

+	char *path;

+	int flags = O_RDWR;

+	int fd;

+

+	if (strstr(user, "../") != NULL)

+	/* just a defensive programming as the user must be a

+	 * valid user on the system anyway

+	 */

+		return -1;

+	path = malloc(strlen(dir) + strlen(user) + 2);

+	if (path == NULL)

+		return -1;

+

+	strcpy(path, dir);

+	if (*dir && dir[strlen(dir) - 1] != '/') {

+		strcat(path, "/");

+	}

+	strcat(path, user);

+

+	if (create) {

+		flags |= O_CREAT;

+	}

+

+	fd = open(path, flags, 0600);

+

+	if (fd != -1)

+		while (flock(fd, LOCK_EX) == -1 && errno == EINTR);

+

+	return fd;

+}

+

+#define CHUNK_SIZE (64 * sizeof(struct tally))

+#define MAX_RECORDS 1024

+

+int

+read_tally(int fd, struct tally_data *tallies)

+{

+	void *data = NULL, *newdata;

+	unsigned int count = 0;

+	ssize_t chunk = 0;

+

+	do {

+		newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE);

+		if (newdata == NULL) {

+			free(data);

+			return -1;

+		}

+

+		data = newdata;

+

+		chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE);

+		if (chunk < 0) {

+			free(data);

+			return -1;

+		}

+

+		count += chunk/sizeof(struct tally);

+

+		if (count >= MAX_RECORDS)

+			break;

+	}

+	while (chunk == CHUNK_SIZE); 

+

+	tallies->records = data;

+	tallies->count = count;

+

+	return 0;

+}

+

+int

+update_tally(int fd, struct tally_data *tallies)

+{

+	void *data = tallies->records;

+	unsigned int count = tallies->count;

+	ssize_t chunk;

+

+	if (tallies->count > MAX_RECORDS) {

+		data = tallies->records + (count - MAX_RECORDS);

+		count = MAX_RECORDS;

+	}

+

+	if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {

+		return -1;

+	}

+

+	chunk = pam_modutil_write(fd, data, count * sizeof(struct tally));

+

+	if (chunk != (ssize_t)(count * sizeof(struct tally))) {

+		return -1;

+	}

+

+	if (ftruncate(fd, count * sizeof(struct tally)) == -1)

+		return -1;

+

+	return 0;

+}

diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h

--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h	2010-09-17 15:58:41.000000000 +0200

@@ -0,0 +1,72 @@

+/*

+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * the GNU Public License, in which case the provisions of the GPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the GPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+/*

+ * faillock.h - authentication failure data file record structure

+ *

+ * Each record in the file represents an instance of login failure of

+ * the user at the recorded time

+ */

+

+

+#ifndef _FAILLOCK_H

+#define _FAILLOCK_H

+

+#include <stdint.h>

+

+#define TALLY_STATUS_VALID     0x1       /* the tally file entry is valid */

+#define TALLY_STATUS_RHOST     0x2       /* the source is rhost */

+#define TALLY_STATUS_TTY       0x4       /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */

+

+struct	tally {

+	char		source[52];	/* rhost or tty of the login failure (not necessarily NULL terminated) */

+	uint16_t	reserved;	/* reserved for future use */

+	uint16_t	status;		/* record status  */

+	uint64_t	time;		/* time of the login failure */

+};

+/* 64 bytes per entry */

+

+struct tally_data {

+	struct tally *records;		/* array of tallies */

+	unsigned int count;		/* number of records */

+};

+

+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"

+

+int open_tally(const char *dir, const char *user, int create);

+int read_tally(int fd, struct tally_data *tallies);

+int update_tally(int fd, struct tally_data *tallies);

+#endif

+

diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml

--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml	2010-09-17 15:58:41.000000000 +0200

@@ -0,0 +1,123 @@

+

+

+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">

+

+<refentry id="faillock">

+

+  <refmeta>

+    <refentrytitle>faillock</refentrytitle>

+    <manvolnum>8</manvolnum>

+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>

+  </refmeta>

+

+  <refnamediv id="pam_faillock-name">

+    <refname>faillock</refname>

+    <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>

+  </refnamediv>

+

+  <refsynopsisdiv>

+    <cmdsynopsis id="faillock-cmdsynopsis">

+      <command>faillock</command>

+      <arg choice="opt">

+        --dir <replaceable>/path/to/tally-directory</replaceable>

+      </arg>

+      <arg choice="opt">

+        --user <replaceable>username</replaceable>

+      </arg>

+      <arg choice="opt">

+        --reset

+      </arg>

+    </cmdsynopsis>

+  </refsynopsisdiv>

+

+  <refsect1 id="faillock-description">

+

+    <title>DESCRIPTION</title>

+

+    <para>

+      The <emphasis>pam_faillock.so</emphasis> module maintains a list of

+      failed authentication attempts per user during a specified interval

+      and locks the account in case there were more than

+      <replaceable>deny</replaceable> consecutive failed authentications.

+      It stores the failure records into per-user files in the tally

+      directory.

+    </para>

+    <para>

+      The <command>faillock</command> command is an application which

+      can be used to examine and modify the contents of the

+      the tally files. It can display the recent failed authentication

+      attempts of the <replaceable>username</replaceable> or clear the tally

+      files of all or individual <replaceable>usernames</replaceable>.

+    </para>

+  </refsect1>

+

+  <refsect1 id="faillock-options">

+

+    <title>OPTIONS</title>

+         <variablelist>

+            <varlistentry>

+              <term>

+                <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  The directory where the user files with the failure records are kept. The

+                  default is <filename>/var/run/faillock</filename>.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>--user <replaceable>username</replaceable></option>

+              </term>

+              <listitem>

+                <para>

+                  The user whose failure records should be displayed or cleared.

+                </para>

+              </listitem>

+            </varlistentry>

+            <varlistentry>

+              <term>

+                <option>--reset</option>

+              </term>

+              <listitem>

+                <para>

+                  Instead of displaying the user's failure records, clear them.

+                </para>

+              </listitem>

+            </varlistentry>

+        </variablelist>

+  </refsect1>

+

+  <refsect1 id="faillock-files">

+    <title>FILES</title>

+    <variablelist>

+      <varlistentry>

+        <term><filename>/var/run/faillock/*</filename></term>

+        <listitem>

+          <para>the files logging the authentication failures for users</para>

+        </listitem>

+      </varlistentry>

+    </variablelist>

+  </refsect1>

+

+  <refsect1 id='faillock-see_also'>

+    <title>SEE ALSO</title>

+    <para>

+      <citerefentry>

+        <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>,

+      <citerefentry>

+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>

+      </citerefentry>

+    </para>

+  </refsect1>

+

+  <refsect1 id='faillock-author'>

+    <title>AUTHOR</title>

+      <para>

+        faillock was written by Tomas Mraz.

+      </para>

+  </refsect1>

+

+</refentry>

diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c

--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c	2010-09-17 15:58:41.000000000 +0200

@@ -0,0 +1,231 @@

+/*

+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote

+ *    products derived from this software without specific prior

+ *    written permission.

+ *

+ * ALTERNATIVELY, this product may be distributed under the terms of

+ * the GNU Public License, in which case the provisions of the GPL are

+ * required INSTEAD OF the above restrictions.  (This clause is

+ * necessary due to a potential bad interaction between the GPL and

+ * the restrictions contained in a BSD-style copyright.)

+ *

+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED

+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+#include "config.h"

+

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <dirent.h>

+#include <errno.h>

+#include <pwd.h>

+#include <time.h>

+#ifdef HAVE_LIBAUDIT

+#include <libaudit.h>

+#endif

+

+#include "faillock.h"

+

+struct options {

+	unsigned int reset;

+	const char *dir;

+	const char *user;

+	const char *progname;

+};

+

+static int

+args_parse(int argc, char **argv, struct options *opts)

+{

+	int i;

+	memset(opts, 0, sizeof(*opts));

+

+	opts->dir = FAILLOCK_DEFAULT_TALLYDIR;

+	opts->progname = argv[0];

+

+	for (i = 1; i < argc; ++i) {

+

+		if (strcmp(argv[i], "--dir") == 0) {

+			++i;

+			if (i >= argc || strlen(argv[i]) == 0) {

+				fprintf(stderr, "%s: No directory supplied.\n", argv[0]);				

+				return -1;

+			}

+		        opts->dir = argv[i];

+		} 

+		else if (strcmp(argv[i], "--user") == 0) {

+			++i;

+			if (i >= argc || strlen(argv[i]) == 0) {

+				fprintf(stderr, "%s: No user name supplied.\n", argv[0]);				

+				return -1;

+			}

+		        opts->user = argv[i];

+		}

+ 		else if (strcmp(argv[i], "--reset") == 0) {

+			opts->reset = 1;

+		}

+		else {

+			fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]);

+			return -1;

+		}

+	}

+	return 0;

+}

+

+static void

+usage(const char *progname)

+{

+	fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"),

+		progname);

+}

+

+static int

+do_user(struct options *opts, const char *user)

+{

+	int fd;

+	int rv;

+	struct tally_data tallies;

+

+	fd = open_tally(opts->dir, user, 0);

+

+	if (fd == -1) {

+		if (errno == ENOENT) {

+			return 0;

+		}

+		else {

+			fprintf(stderr, "%s: Error opening the tally file for %s:",

+				opts->progname, user);

+			perror(NULL);

+			return 3;

+		}

+	}

+	if (opts->reset) {

+#ifdef HAVE_LIBAUDIT

+		char buf[64];

+		int audit_fd;

+#endif

+		

+		while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR);

+		if (rv == -1) {

+			fprintf(stderr, "%s: Error clearing the tally file for %s:",

+				opts->progname, user);

+			perror(NULL);

+#ifdef HAVE_LIBAUDIT

+		}

+		if ((audit_fd=audit_open()) >= 0) {

+			struct passwd *pwd;

+

+			if ((pwd=getpwnam(user)) != NULL) {

+				snprintf(buf, sizeof(buf), "faillock reset uid=%u",

+					pwd->pw_uid);

+				audit_log_user_message(audit_fd, AUDIT_USER_ACCT,

+					buf, NULL, NULL, NULL, rv == 0);

+			}

+			close(audit_fd);

+		}

+		if (rv == -1) {

+#endif

+			close(fd);

+			return 4;

+		}

+	}

+	else {

+		unsigned int i;

+

+		memset(&tallies, 0, sizeof(tallies));

+		if ((rv=read_tally(fd, &tallies)) == -1) {

+			fprintf(stderr, "%s: Error reading the tally file for %s:",

+				opts->progname, user);

+			perror(NULL);

+			close(fd);

+			return 5;

+		}

+

+		printf("%s:\n", user);

+		printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid");

+

+		for (i = 0; i < tallies.count; i++) {

+			struct tm *tm;

+			char timebuf[80];

+			uint16_t status = tallies.records[i].status;

+			time_t when = tallies.records[i].time;

+

+			tm = localtime(&when);

+			strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm);

+			printf("%-19s %-5s %-52.52s %s\n", timebuf,

+				status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),

+				tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");

+		}

+		free(tallies.records);

+	}

+	close(fd);

+	return 0;

+}

+

+static int

+do_allusers(struct options *opts)

+{

+	struct dirent **userlist;

+	int rv, i;

+

+	rv = scandir(opts->dir, &userlist, NULL, alphasort);

+	if (rv < 0) {

+		fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);

+		perror(NULL);

+		return 2;

+	}

+

+	for (i = 0; i < rv; i++) {

+		if (userlist[i]->d_name[0] == '.') {

+			if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') ||

+			    userlist[i]->d_name[1] == '\0')

+				continue;

+		}

+		do_user(opts, userlist[i]->d_name);

+		free(userlist[i]);

+	}

+	free(userlist);

+

+	return 0;

+}

+

+

+/*-----------------------------------------------------------------------*/

+int

+main (int argc, char *argv[])

+{

+	struct options opts;

+

+	if (args_parse(argc, argv, &opts)) {

+		usage(argv[0]);

+		return 1;

+	}

+

+	if (opts.user == NULL) {

+		return do_allusers(&opts);		

+	}

+

+	return do_user(&opts, opts.user);

+}

+

diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am

--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am	2010-09-17 15:58:41.000000000 +0200

@@ -0,0 +1,43 @@

+#

+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>

+# Copyright (c) 2008 Red Hat, Inc.

+# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

+#

+

+CLEANFILES = *~

+MAINTAINERCLEANFILES = $(MANS) README

+

+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock

+

+man_MANS = pam_faillock.8 faillock.8

+XMLS = README.xml pam_faillock.8.xml faillock.8.xml

+

+TESTS = tst-pam_faillock

+

+securelibdir = $(SECUREDIR)

+secureconfdir = $(SCONFIGDIR)

+

+noinst_HEADERS = faillock.h

+

+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include

+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include

+

+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module

+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)

+if HAVE_VERSIONING

+  pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map

+endif

+

+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)

+

+securelib_LTLIBRARIES = pam_faillock.la

+sbin_PROGRAMS = faillock

+

+pam_faillock_la_SOURCES = pam_faillock.c faillock.c

+faillock_SOURCES = main.c faillock.c

+

+if ENABLE_REGENERATE_MAN

+noinst_DATA = README

+README: pam_faillock.8.xml

+-include $(top_srcdir)/Make.xml.rules

+endif

diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c

--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock	2010-09-17 15:58:41.000000000 +0200

+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c	2010-09-17 15:58:41.000000000 +0200

@@ -0,0 +1,550 @@

+/*

+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ *    notice, and the entire permission notice in its entirety,

+ *    including the disclaimer of warranties.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ *    notice, this list of conditions and the following disclaimer in the

+ *    documentation and/or other materials provided with the distribution.

+ * 3. The name of the author may not be used to endorse or promote