|
 |
db5216 |
diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
|
|
|
db5216 |
--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never 2016-03-03 10:01:15.000000000 +0100
|
|
|
db5216 |
+++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2016-04-22 14:31:34.239752334 +0200
|
|
|
db5216 |
@@ -125,17 +125,26 @@ args_parse(pam_handle_t *pamh, int argc,
|
|
|
db5216 |
}
|
|
|
db5216 |
else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
|
|
|
db5216 |
unsigned int temp;
|
|
|
db5216 |
- if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
|
|
|
db5216 |
+
|
|
|
db5216 |
+ if (strcmp(argv[i]+12, "never") == 0) {
|
|
|
db5216 |
+ opts->unlock_time = 0;
|
|
|
db5216 |
+ }
|
|
|
db5216 |
+ else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
|
|
|
db5216 |
temp > MAX_TIME_INTERVAL) {
|
|
|
db5216 |
pam_syslog(pamh, LOG_ERR,
|
|
|
db5216 |
"Bad number supplied for unlock_time argument");
|
|
|
db5216 |
- } else {
|
|
|
db5216 |
+ }
|
|
|
db5216 |
+ else {
|
|
|
db5216 |
opts->unlock_time = temp;
|
|
|
db5216 |
}
|
|
|
db5216 |
}
|
|
|
db5216 |
else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
|
|
|
db5216 |
unsigned int temp;
|
|
|
db5216 |
- if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
|
|
|
db5216 |
+
|
|
|
db5216 |
+ if (strcmp(argv[i]+17, "never") == 0) {
|
|
|
db5216 |
+ opts->root_unlock_time = 0;
|
|
|
db5216 |
+ }
|
|
|
db5216 |
+ else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
|
|
|
db5216 |
temp > MAX_TIME_INTERVAL) {
|
|
|
db5216 |
pam_syslog(pamh, LOG_ERR,
|
|
|
db5216 |
"Bad number supplied for root_unlock_time argument");
|
|
|
db5216 |
@@ -258,8 +267,8 @@ check_tally(pam_handle_t *pamh, struct o
|
|
|
db5216 |
}
|
|
|
db5216 |
|
|
|
db5216 |
if (opts->deny && failures >= opts->deny) {
|
|
|
db5216 |
- if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
|
|
|
db5216 |
- (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
|
|
|
db5216 |
+ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
|
|
|
db5216 |
+ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
|
|
|
db5216 |
#ifdef HAVE_LIBAUDIT
|
|
|
db5216 |
if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
|
|
|
db5216 |
char buf[64];
|
|
|
db5216 |
@@ -420,11 +429,17 @@ faillock_message(pam_handle_t *pamh, str
|
|
|
db5216 |
left = opts->latest_time + opts->root_unlock_time - opts->now;
|
|
|
db5216 |
}
|
|
|
db5216 |
|
|
|
db5216 |
- left /= 60; /* minutes */
|
|
|
db5216 |
+ if (left > 0) {
|
|
|
db5216 |
+ left = (left + 59)/60; /* minutes */
|
|
|
db5216 |
|
|
|
db5216 |
- pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
|
|
|
db5216 |
- opts->failures);
|
|
|
db5216 |
- pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
|
|
|
db5216 |
+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
|
|
|
db5216 |
+ opts->failures);
|
|
|
db5216 |
+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
|
|
|
db5216 |
+ }
|
|
|
db5216 |
+ else {
|
|
|
db5216 |
+ pam_info(pamh, _("Account locked due to %d failed logins"),
|
|
|
db5216 |
+ opts->failures);
|
|
|
db5216 |
+ }
|
|
|
db5216 |
}
|
|
|
db5216 |
}
|
|
|
db5216 |
|
|
|
db5216 |
diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
|
|
|
db5216 |
--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never 2016-04-22 15:25:57.000000000 +0200
|
|
|
db5216 |
+++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 16:43:14.109794294 +0200
|
|
|
db5216 |
@@ -201,6 +201,21 @@
|
|
|
db5216 |
<replaceable>n</replaceable> seconds after the lock out.
|
|
|
db5216 |
The default is 600 (10 minutes).
|
|
|
db5216 |
</para>
|
|
|
db5216 |
+ <para>
|
|
|
db5216 |
+ If the <replaceable>n</replaceable> is set to never or 0
|
|
|
db5216 |
+ the access will not be reenabled at all until administrator
|
|
|
db5216 |
+ explicitly reenables it with the <command>faillock</command> command.
|
|
|
db5216 |
+ Note though that the default directory that <emphasis>pam_faillock</emphasis>
|
|
|
db5216 |
+ uses is usually cleared on system boot so the access will be also reenabled
|
|
|
db5216 |
+ after system reboot. If that is undesirable a different tally directory
|
|
|
db5216 |
+ must be set with the <option>dir</option> option.
|
|
|
db5216 |
+ </para>
|
|
|
db5216 |
+ <para>
|
|
|
db5216 |
+ Also note that it is usually undesirable to permanently lock
|
|
|
db5216 |
+ out the users as they can become easily a target of denial of service
|
|
|
db5216 |
+ attack unless the usernames are random and kept secret to potential
|
|
|
db5216 |
+ attackers.
|
|
|
db5216 |
+ </para>
|
|
|
db5216 |
</listitem>
|
|
|
db5216 |
</varlistentry>
|
|
|
db5216 |
<varlistentry>
|