Blame SOURCES/pam-1.2.1-faillock.patch

73cfcf
diff -up Linux-PAM-1.2.1/configure.ac.faillock Linux-PAM-1.2.1/configure.ac
73cfcf
--- Linux-PAM-1.2.1/configure.ac.faillock	2015-06-25 10:42:21.477374752 +0200
73cfcf
+++ Linux-PAM-1.2.1/configure.ac	2015-06-25 10:42:21.501375246 +0200
73cfcf
@@ -621,7 +621,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
73cfcf
 	modules/pam_access/Makefile modules/pam_cracklib/Makefile \
73cfcf
         modules/pam_debug/Makefile modules/pam_deny/Makefile \
73cfcf
 	modules/pam_echo/Makefile modules/pam_env/Makefile \
73cfcf
-	modules/pam_faildelay/Makefile \
73cfcf
+	modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
73cfcf
 	modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
73cfcf
 	modules/pam_ftp/Makefile modules/pam_group/Makefile \
73cfcf
 	modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
73cfcf
diff -up Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.2.1/doc/sag/pam_faillock.xml
73cfcf
--- Linux-PAM-1.2.1/doc/sag/pam_faillock.xml.faillock	2015-06-25 10:42:21.482374855 +0200
73cfcf
+++ Linux-PAM-1.2.1/doc/sag/pam_faillock.xml	2015-06-25 10:42:21.482374855 +0200
73cfcf
@@ -0,0 +1,38 @@
73cfcf
+
73cfcf
+
73cfcf
+        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
73cfcf
+<section id='sag-pam_faillock'>
73cfcf
+  <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
73cfcf
+  <cmdsynopsis>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
73cfcf
+  </cmdsynopsis>
73cfcf
+  <cmdsynopsis>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
73cfcf
+  </cmdsynopsis>
73cfcf
+  <section id='sag-pam_faillock-description'>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
73cfcf
+  </section>
73cfcf
+  <section id='sag-pam_faillock-options'>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
73cfcf
+  </section>
73cfcf
+  <section id='sag-pam_faillock-types'>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
73cfcf
+  </section>
73cfcf
+  <section id='sag-pam_faillock-return_values'>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
73cfcf
+  </section>
73cfcf
+  <section id='sag-pam_faillock-examples'>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
73cfcf
+  </section>
73cfcf
+  <section id='sag-pam_faillock-author'>
73cfcf
+    
73cfcf
+     href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
73cfcf
+  </section>
73cfcf
+</section>
73cfcf
diff -up Linux-PAM-1.2.1/modules/Makefile.am.faillock Linux-PAM-1.2.1/modules/Makefile.am
73cfcf
--- Linux-PAM-1.2.1/modules/Makefile.am.faillock	2015-06-25 10:42:21.480374814 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/Makefile.am	2015-06-25 10:42:21.482374855 +0200
73cfcf
@@ -3,7 +3,7 @@
73cfcf
 #
73cfcf
 
73cfcf
 SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
73cfcf
-	pam_chroot pam_console pam_postgresok \
73cfcf
+	pam_chroot pam_console pam_postgresok pam_faillock \
73cfcf
 	pam_env pam_exec pam_faildelay pam_filter pam_ftp \
73cfcf
 	pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
73cfcf
 	pam_listfile pam_localuser pam_loginuid pam_mail \
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.c
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/faillock.c.faillock	2015-06-25 10:42:21.482374855 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.c	2015-06-25 10:42:21.482374855 +0200
73cfcf
@@ -0,0 +1,158 @@
73cfcf
+/*
73cfcf
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
73cfcf
+ *
73cfcf
+ * Redistribution and use in source and binary forms, with or without
73cfcf
+ * modification, are permitted provided that the following conditions
73cfcf
+ * are met:
73cfcf
+ * 1. Redistributions of source code must retain the above copyright
73cfcf
+ *    notice, and the entire permission notice in its entirety,
73cfcf
+ *    including the disclaimer of warranties.
73cfcf
+ * 2. Redistributions in binary form must reproduce the above copyright
73cfcf
+ *    notice, this list of conditions and the following disclaimer in the
73cfcf
+ *    documentation and/or other materials provided with the distribution.
73cfcf
+ * 3. The name of the author may not be used to endorse or promote
73cfcf
+ *    products derived from this software without specific prior
73cfcf
+ *    written permission.
73cfcf
+ *
73cfcf
+ * ALTERNATIVELY, this product may be distributed under the terms of
73cfcf
+ * the GNU Public License, in which case the provisions of the GPL are
73cfcf
+ * required INSTEAD OF the above restrictions.  (This clause is
73cfcf
+ * necessary due to a potential bad interaction between the GPL and
73cfcf
+ * the restrictions contained in a BSD-style copyright.)
73cfcf
+ *
73cfcf
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
73cfcf
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
73cfcf
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
73cfcf
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
73cfcf
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
73cfcf
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
73cfcf
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
73cfcf
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
73cfcf
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
73cfcf
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
73cfcf
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
73cfcf
+ */
73cfcf
+
73cfcf
+#include "config.h"
73cfcf
+#include <string.h>
73cfcf
+#include <stdlib.h>
73cfcf
+#include <unistd.h>
73cfcf
+#include <errno.h>
73cfcf
+#include <sys/types.h>
73cfcf
+#include <sys/stat.h>
73cfcf
+#include <sys/file.h>
73cfcf
+#include <sys/stat.h>
73cfcf
+#include <fcntl.h>
73cfcf
+#include <security/pam_modutil.h>
73cfcf
+
73cfcf
+#include "faillock.h"
73cfcf
+
73cfcf
+int
73cfcf
+open_tally (const char *dir, const char *user, uid_t uid, int create)
73cfcf
+{
73cfcf
+	char *path;
73cfcf
+	int flags = O_RDWR;
73cfcf
+	int fd;
73cfcf
+
73cfcf
+	if (strstr(user, "../") != NULL)
73cfcf
+	/* just a defensive programming as the user must be a
73cfcf
+	 * valid user on the system anyway
73cfcf
+	 */
73cfcf
+		return -1;
73cfcf
+	path = malloc(strlen(dir) + strlen(user) + 2);
73cfcf
+	if (path == NULL)
73cfcf
+		return -1;
73cfcf
+
73cfcf
+	strcpy(path, dir);
73cfcf
+	if (*dir && dir[strlen(dir) - 1] != '/') {
73cfcf
+		strcat(path, "/");
73cfcf
+	}
73cfcf
+	strcat(path, user);
73cfcf
+
73cfcf
+	if (create) {
73cfcf
+		flags |= O_CREAT;
73cfcf
+	}
73cfcf
+
73cfcf
+	fd = open(path, flags, 0600);
73cfcf
+
73cfcf
+	free(path);
73cfcf
+
73cfcf
+	if (fd != -1) {
73cfcf
+		struct stat st;
73cfcf
+
73cfcf
+		while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
73cfcf
+		if (fstat(fd, &st) == 0) {
73cfcf
+			if (st.st_uid != uid) {
73cfcf
+				fchown(fd, uid, -1);
73cfcf
+			}
73cfcf
+		}
73cfcf
+	}
73cfcf
+
73cfcf
+	return fd;
73cfcf
+}
73cfcf
+
73cfcf
+#define CHUNK_SIZE (64 * sizeof(struct tally))
73cfcf
+#define MAX_RECORDS 1024
73cfcf
+
73cfcf
+int
73cfcf
+read_tally(int fd, struct tally_data *tallies)
73cfcf
+{
73cfcf
+	void *data = NULL, *newdata;
73cfcf
+	unsigned int count = 0;
73cfcf
+	ssize_t chunk = 0;
73cfcf
+
73cfcf
+	do {
73cfcf
+		newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE);
73cfcf
+		if (newdata == NULL) {
73cfcf
+			free(data);
73cfcf
+			return -1;
73cfcf
+		}
73cfcf
+
73cfcf
+		data = newdata;
73cfcf
+
73cfcf
+		chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE);
73cfcf
+		if (chunk < 0) {
73cfcf
+			free(data);
73cfcf
+			return -1;
73cfcf
+		}
73cfcf
+
73cfcf
+		count += chunk/sizeof(struct tally);
73cfcf
+
73cfcf
+		if (count >= MAX_RECORDS)
73cfcf
+			break;
73cfcf
+	}
73cfcf
+	while (chunk == CHUNK_SIZE); 
73cfcf
+
73cfcf
+	tallies->records = data;
73cfcf
+	tallies->count = count;
73cfcf
+
73cfcf
+	return 0;
73cfcf
+}
73cfcf
+
73cfcf
+int
73cfcf
+update_tally(int fd, struct tally_data *tallies)
73cfcf
+{
73cfcf
+	void *data = tallies->records;
73cfcf
+	unsigned int count = tallies->count;
73cfcf
+	ssize_t chunk;
73cfcf
+
73cfcf
+	if (tallies->count > MAX_RECORDS) {
73cfcf
+		data = tallies->records + (count - MAX_RECORDS);
73cfcf
+		count = MAX_RECORDS;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
73cfcf
+		return -1;
73cfcf
+	}
73cfcf
+
73cfcf
+	chunk = pam_modutil_write(fd, data, count * sizeof(struct tally));
73cfcf
+
73cfcf
+	if (chunk != (ssize_t)(count * sizeof(struct tally))) {
73cfcf
+		return -1;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (ftruncate(fd, count * sizeof(struct tally)) == -1)
73cfcf
+		return -1;
73cfcf
+
73cfcf
+	return 0;
73cfcf
+}
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.h
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/faillock.h.faillock	2015-06-25 10:42:21.482374855 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.h	2015-06-25 10:42:21.482374855 +0200
73cfcf
@@ -0,0 +1,73 @@
73cfcf
+/*
73cfcf
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
73cfcf
+ *
73cfcf
+ * Redistribution and use in source and binary forms, with or without
73cfcf
+ * modification, are permitted provided that the following conditions
73cfcf
+ * are met:
73cfcf
+ * 1. Redistributions of source code must retain the above copyright
73cfcf
+ *    notice, and the entire permission notice in its entirety,
73cfcf
+ *    including the disclaimer of warranties.
73cfcf
+ * 2. Redistributions in binary form must reproduce the above copyright
73cfcf
+ *    notice, this list of conditions and the following disclaimer in the
73cfcf
+ *    documentation and/or other materials provided with the distribution.
73cfcf
+ * 3. The name of the author may not be used to endorse or promote
73cfcf
+ *    products derived from this software without specific prior
73cfcf
+ *    written permission.
73cfcf
+ *
73cfcf
+ * ALTERNATIVELY, this product may be distributed under the terms of
73cfcf
+ * the GNU Public License, in which case the provisions of the GPL are
73cfcf
+ * required INSTEAD OF the above restrictions.  (This clause is
73cfcf
+ * necessary due to a potential bad interaction between the GPL and
73cfcf
+ * the restrictions contained in a BSD-style copyright.)
73cfcf
+ *
73cfcf
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
73cfcf
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
73cfcf
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
73cfcf
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
73cfcf
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
73cfcf
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
73cfcf
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
73cfcf
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
73cfcf
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
73cfcf
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
73cfcf
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
73cfcf
+ */
73cfcf
+
73cfcf
+/*
73cfcf
+ * faillock.h - authentication failure data file record structure
73cfcf
+ *
73cfcf
+ * Each record in the file represents an instance of login failure of
73cfcf
+ * the user at the recorded time
73cfcf
+ */
73cfcf
+
73cfcf
+
73cfcf
+#ifndef _FAILLOCK_H
73cfcf
+#define _FAILLOCK_H
73cfcf
+
73cfcf
+#include <stdint.h>
73cfcf
+#include <sys/types.h>
73cfcf
+
73cfcf
+#define TALLY_STATUS_VALID     0x1       /* the tally file entry is valid */
73cfcf
+#define TALLY_STATUS_RHOST     0x2       /* the source is rhost */
73cfcf
+#define TALLY_STATUS_TTY       0x4       /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */
73cfcf
+
73cfcf
+struct	tally {
73cfcf
+	char		source[52];	/* rhost or tty of the login failure (not necessarily NULL terminated) */
73cfcf
+	uint16_t	reserved;	/* reserved for future use */
73cfcf
+	uint16_t	status;		/* record status  */
73cfcf
+	uint64_t	time;		/* time of the login failure */
73cfcf
+};
73cfcf
+/* 64 bytes per entry */
73cfcf
+
73cfcf
+struct tally_data {
73cfcf
+	struct tally *records;		/* array of tallies */
73cfcf
+	unsigned int count;		/* number of records */
73cfcf
+};
73cfcf
+
73cfcf
+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
73cfcf
+
73cfcf
+int open_tally(const char *dir, const char *user, uid_t uid, int create);
73cfcf
+int read_tally(int fd, struct tally_data *tallies);
73cfcf
+int update_tally(int fd, struct tally_data *tallies);
73cfcf
+#endif
73cfcf
+
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml.faillock	2015-06-25 10:42:21.482374855 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/faillock.8.xml	2015-06-25 10:42:21.482374855 +0200
73cfcf
@@ -0,0 +1,123 @@
73cfcf
+
73cfcf
+
73cfcf
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
73cfcf
+
73cfcf
+<refentry id="faillock">
73cfcf
+
73cfcf
+  <refmeta>
73cfcf
+    <refentrytitle>faillock</refentrytitle>
73cfcf
+    <manvolnum>8</manvolnum>
73cfcf
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
73cfcf
+  </refmeta>
73cfcf
+
73cfcf
+  <refnamediv id="pam_faillock-name">
73cfcf
+    <refname>faillock</refname>
73cfcf
+    <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>
73cfcf
+  </refnamediv>
73cfcf
+
73cfcf
+  <refsynopsisdiv>
73cfcf
+    <cmdsynopsis id="faillock-cmdsynopsis">
73cfcf
+      <command>faillock</command>
73cfcf
+      <arg choice="opt">
73cfcf
+        --dir <replaceable>/path/to/tally-directory</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        --user <replaceable>username</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        --reset
73cfcf
+      </arg>
73cfcf
+    </cmdsynopsis>
73cfcf
+  </refsynopsisdiv>
73cfcf
+
73cfcf
+  <refsect1 id="faillock-description">
73cfcf
+
73cfcf
+    <title>DESCRIPTION</title>
73cfcf
+
73cfcf
+    <para>
73cfcf
+      The <emphasis>pam_faillock.so</emphasis> module maintains a list of
73cfcf
+      failed authentication attempts per user during a specified interval
73cfcf
+      and locks the account in case there were more than
73cfcf
+      <replaceable>deny</replaceable> consecutive failed authentications.
73cfcf
+      It stores the failure records into per-user files in the tally
73cfcf
+      directory.
73cfcf
+    </para>
73cfcf
+    <para>
73cfcf
+      The <command>faillock</command> command is an application which
73cfcf
+      can be used to examine and modify the contents of the
73cfcf
+      the tally files. It can display the recent failed authentication
73cfcf
+      attempts of the <replaceable>username</replaceable> or clear the tally
73cfcf
+      files of all or individual <replaceable>usernames</replaceable>.
73cfcf
+    </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id="faillock-options">
73cfcf
+
73cfcf
+    <title>OPTIONS</title>
73cfcf
+         <variablelist>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  The directory where the user files with the failure records are kept. The
73cfcf
+                  default is <filename>/var/run/faillock</filename>.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>--user <replaceable>username</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  The user whose failure records should be displayed or cleared.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>--reset</option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  Instead of displaying the user's failure records, clear them.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+        </variablelist>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id="faillock-files">
73cfcf
+    <title>FILES</title>
73cfcf
+    <variablelist>
73cfcf
+      <varlistentry>
73cfcf
+        <term><filename>/var/run/faillock/*</filename></term>
73cfcf
+        <listitem>
73cfcf
+          <para>the files logging the authentication failures for users</para>
73cfcf
+        </listitem>
73cfcf
+      </varlistentry>
73cfcf
+    </variablelist>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='faillock-see_also'>
73cfcf
+    <title>SEE ALSO</title>
73cfcf
+    <para>
73cfcf
+      <citerefentry>
73cfcf
+        <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
73cfcf
+      </citerefentry>,
73cfcf
+      <citerefentry>
73cfcf
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
73cfcf
+      </citerefentry>
73cfcf
+    </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='faillock-author'>
73cfcf
+    <title>AUTHOR</title>
73cfcf
+      <para>
73cfcf
+        faillock was written by Tomas Mraz.
73cfcf
+      </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+</refentry>
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/main.c
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/main.c.faillock	2015-06-25 10:42:21.482374855 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/main.c	2015-06-25 10:42:21.503375287 +0200
73cfcf
@@ -0,0 +1,232 @@
73cfcf
+/*
73cfcf
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
73cfcf
+ *
73cfcf
+ * Redistribution and use in source and binary forms, with or without
73cfcf
+ * modification, are permitted provided that the following conditions
73cfcf
+ * are met:
73cfcf
+ * 1. Redistributions of source code must retain the above copyright
73cfcf
+ *    notice, and the entire permission notice in its entirety,
73cfcf
+ *    including the disclaimer of warranties.
73cfcf
+ * 2. Redistributions in binary form must reproduce the above copyright
73cfcf
+ *    notice, this list of conditions and the following disclaimer in the
73cfcf
+ *    documentation and/or other materials provided with the distribution.
73cfcf
+ * 3. The name of the author may not be used to endorse or promote
73cfcf
+ *    products derived from this software without specific prior
73cfcf
+ *    written permission.
73cfcf
+ *
73cfcf
+ * ALTERNATIVELY, this product may be distributed under the terms of
73cfcf
+ * the GNU Public License, in which case the provisions of the GPL are
73cfcf
+ * required INSTEAD OF the above restrictions.  (This clause is
73cfcf
+ * necessary due to a potential bad interaction between the GPL and
73cfcf
+ * the restrictions contained in a BSD-style copyright.)
73cfcf
+ *
73cfcf
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
73cfcf
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
73cfcf
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
73cfcf
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
73cfcf
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
73cfcf
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
73cfcf
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
73cfcf
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
73cfcf
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
73cfcf
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
73cfcf
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
73cfcf
+ */
73cfcf
+
73cfcf
+#include "config.h"
73cfcf
+
73cfcf
+#include <stdio.h>
73cfcf
+#include <stdlib.h>
73cfcf
+#include <string.h>
73cfcf
+#include <dirent.h>
73cfcf
+#include <errno.h>
73cfcf
+#include <pwd.h>
73cfcf
+#include <time.h>
73cfcf
+#include <sys/types.h>
73cfcf
+#include <unistd.h>
73cfcf
+#ifdef HAVE_LIBAUDIT
73cfcf
+#include <libaudit.h>
73cfcf
+#endif
73cfcf
+
73cfcf
+#include "faillock.h"
73cfcf
+
73cfcf
+struct options {
73cfcf
+	unsigned int reset;
73cfcf
+	const char *dir;
73cfcf
+	const char *user;
73cfcf
+	const char *progname;
73cfcf
+};
73cfcf
+
73cfcf
+static int
73cfcf
+args_parse(int argc, char **argv, struct options *opts)
73cfcf
+{
73cfcf
+	int i;
73cfcf
+	memset(opts, 0, sizeof(*opts));
73cfcf
+
73cfcf
+	opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
73cfcf
+	opts->progname = argv[0];
73cfcf
+
73cfcf
+	for (i = 1; i < argc; ++i) {
73cfcf
+
73cfcf
+		if (strcmp(argv[i], "--dir") == 0) {
73cfcf
+			++i;
73cfcf
+			if (i >= argc || strlen(argv[i]) == 0) {
73cfcf
+				fprintf(stderr, "%s: No directory supplied.\n", argv[0]);				
73cfcf
+				return -1;
73cfcf
+			}
73cfcf
+		        opts->dir = argv[i];
73cfcf
+		} 
73cfcf
+		else if (strcmp(argv[i], "--user") == 0) {
73cfcf
+			++i;
73cfcf
+			if (i >= argc || strlen(argv[i]) == 0) {
73cfcf
+				fprintf(stderr, "%s: No user name supplied.\n", argv[0]);				
73cfcf
+				return -1;
73cfcf
+			}
73cfcf
+		        opts->user = argv[i];
73cfcf
+		}
73cfcf
+ 		else if (strcmp(argv[i], "--reset") == 0) {
73cfcf
+			opts->reset = 1;
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]);
73cfcf
+			return -1;
73cfcf
+		}
73cfcf
+	}
73cfcf
+	return 0;
73cfcf
+}
73cfcf
+
73cfcf
+static void
73cfcf
+usage(const char *progname)
73cfcf
+{
73cfcf
+	fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"),
73cfcf
+		progname);
73cfcf
+}
73cfcf
+
73cfcf
+static int
73cfcf
+do_user(struct options *opts, const char *user)
73cfcf
+{
73cfcf
+	int fd;
73cfcf
+	int rv;
73cfcf
+	struct tally_data tallies;
73cfcf
+	struct passwd *pwd;
73cfcf
+
73cfcf
+	pwd = getpwnam(user);
73cfcf
+
73cfcf
+	fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
73cfcf
+
73cfcf
+	if (fd == -1) {
73cfcf
+		if (errno == ENOENT) {
73cfcf
+			return 0;
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			fprintf(stderr, "%s: Error opening the tally file for %s:",
73cfcf
+				opts->progname, user);
73cfcf
+			perror(NULL);
73cfcf
+			return 3;
73cfcf
+		}
73cfcf
+	}
73cfcf
+	if (opts->reset) {
73cfcf
+#ifdef HAVE_LIBAUDIT
73cfcf
+		int audit_fd;
73cfcf
+#endif
73cfcf
+		
73cfcf
+		while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR);
73cfcf
+		if (rv == -1) {
73cfcf
+			fprintf(stderr, "%s: Error clearing the tally file for %s:",
73cfcf
+				opts->progname, user);
73cfcf
+			perror(NULL);
73cfcf
+#ifdef HAVE_LIBAUDIT
73cfcf
+		}
73cfcf
+		if ((audit_fd=audit_open()) >= 0) {
73cfcf
+
73cfcf
+			if (pwd != NULL) {
73cfcf
+				audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
73cfcf
+					"faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
73cfcf
+			}
73cfcf
+			close(audit_fd);
73cfcf
+		}
73cfcf
+		if (rv == -1) {
73cfcf
+#endif
73cfcf
+			close(fd);
73cfcf
+			return 4;
73cfcf
+		}
73cfcf
+	}
73cfcf
+	else {
73cfcf
+		unsigned int i;
73cfcf
+
73cfcf
+		memset(&tallies, 0, sizeof(tallies));
73cfcf
+		if ((rv=read_tally(fd, &tallies)) == -1) {
73cfcf
+			fprintf(stderr, "%s: Error reading the tally file for %s:",
73cfcf
+				opts->progname, user);
73cfcf
+			perror(NULL);
73cfcf
+			close(fd);
73cfcf
+			return 5;
73cfcf
+		}
73cfcf
+
73cfcf
+		printf("%s:\n", user);
73cfcf
+		printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid");
73cfcf
+
73cfcf
+		for (i = 0; i < tallies.count; i++) {
73cfcf
+			struct tm *tm;
73cfcf
+			char timebuf[80];
73cfcf
+			uint16_t status = tallies.records[i].status;
73cfcf
+			time_t when = tallies.records[i].time;
73cfcf
+
73cfcf
+			tm = localtime(&when);
73cfcf
+			strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm);
73cfcf
+			printf("%-19s %-5s %-52.52s %s\n", timebuf,
73cfcf
+				status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
73cfcf
+				tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
73cfcf
+		}
73cfcf
+		free(tallies.records);
73cfcf
+	}
73cfcf
+	close(fd);
73cfcf
+	return 0;
73cfcf
+}
73cfcf
+
73cfcf
+static int
73cfcf
+do_allusers(struct options *opts)
73cfcf
+{
73cfcf
+	struct dirent **userlist;
73cfcf
+	int rv, i;
73cfcf
+
73cfcf
+	rv = scandir(opts->dir, &userlist, NULL, alphasort);
73cfcf
+	if (rv < 0) {
73cfcf
+		fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);
73cfcf
+		perror(NULL);
73cfcf
+		return 2;
73cfcf
+	}
73cfcf
+
73cfcf
+	for (i = 0; i < rv; i++) {
73cfcf
+		if (userlist[i]->d_name[0] == '.') {
73cfcf
+			if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') ||
73cfcf
+			    userlist[i]->d_name[1] == '\0')
73cfcf
+				continue;
73cfcf
+		}
73cfcf
+		do_user(opts, userlist[i]->d_name);
73cfcf
+		free(userlist[i]);
73cfcf
+	}
73cfcf
+	free(userlist);
73cfcf
+
73cfcf
+	return 0;
73cfcf
+}
73cfcf
+
73cfcf
+
73cfcf
+/*-----------------------------------------------------------------------*/
73cfcf
+int
73cfcf
+main (int argc, char *argv[])
73cfcf
+{
73cfcf
+	struct options opts;
73cfcf
+
73cfcf
+	if (args_parse(argc, argv, &opts)) {
73cfcf
+		usage(argv[0]);
73cfcf
+		return 1;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (opts.user == NULL) {
73cfcf
+		return do_allusers(&opts);		
73cfcf
+	}
73cfcf
+
73cfcf
+	return do_user(&opts, opts.user);
73cfcf
+}
73cfcf
+
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am.faillock	2015-06-25 10:42:21.482374855 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/Makefile.am	2015-06-25 10:42:21.494375102 +0200
73cfcf
@@ -0,0 +1,44 @@
73cfcf
+#
73cfcf
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
73cfcf
+# Copyright (c) 2008 Red Hat, Inc.
73cfcf
+# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
73cfcf
+#
73cfcf
+
73cfcf
+CLEANFILES = *~
73cfcf
+MAINTAINERCLEANFILES = $(MANS) README
73cfcf
+
73cfcf
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock
73cfcf
+
73cfcf
+man_MANS = pam_faillock.8 faillock.8
73cfcf
+XMLS = README.xml pam_faillock.8.xml faillock.8.xml
73cfcf
+
73cfcf
+TESTS = tst-pam_faillock
73cfcf
+
73cfcf
+securelibdir = $(SECUREDIR)
73cfcf
+secureconfdir = $(SCONFIGDIR)
73cfcf
+
73cfcf
+noinst_HEADERS = faillock.h
73cfcf
+
73cfcf
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
73cfcf
+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
73cfcf
+
73cfcf
+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
73cfcf
+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
73cfcf
+if HAVE_VERSIONING
73cfcf
+  pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
73cfcf
+endif
73cfcf
+
73cfcf
+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
73cfcf
+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
73cfcf
+
73cfcf
+securelib_LTLIBRARIES = pam_faillock.la
73cfcf
+sbin_PROGRAMS = faillock
73cfcf
+
73cfcf
+pam_faillock_la_SOURCES = pam_faillock.c faillock.c
73cfcf
+faillock_SOURCES = main.c faillock.c
73cfcf
+
73cfcf
+if ENABLE_REGENERATE_MAN
73cfcf
+noinst_DATA = README
73cfcf
+README: pam_faillock.8.xml
73cfcf
+-include $(top_srcdir)/Make.xml.rules
73cfcf
+endif
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c.faillock	2015-06-25 10:42:21.483374875 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.c	2015-10-16 14:07:38.451616869 +0200
73cfcf
@@ -0,0 +1,571 @@
73cfcf
+/*
73cfcf
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
73cfcf
+ *
73cfcf
+ * Redistribution and use in source and binary forms, with or without
73cfcf
+ * modification, are permitted provided that the following conditions
73cfcf
+ * are met:
73cfcf
+ * 1. Redistributions of source code must retain the above copyright
73cfcf
+ *    notice, and the entire permission notice in its entirety,
73cfcf
+ *    including the disclaimer of warranties.
73cfcf
+ * 2. Redistributions in binary form must reproduce the above copyright
73cfcf
+ *    notice, this list of conditions and the following disclaimer in the
73cfcf
+ *    documentation and/or other materials provided with the distribution.
73cfcf
+ * 3. The name of the author may not be used to endorse or promote
73cfcf
+ *    products derived from this software without specific prior
73cfcf
+ *    written permission.
73cfcf
+ *
73cfcf
+ * ALTERNATIVELY, this product may be distributed under the terms of
73cfcf
+ * the GNU Public License, in which case the provisions of the GPL are
73cfcf
+ * required INSTEAD OF the above restrictions.  (This clause is
73cfcf
+ * necessary due to a potential bad interaction between the GPL and
73cfcf
+ * the restrictions contained in a BSD-style copyright.)
73cfcf
+ *
73cfcf
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
73cfcf
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
73cfcf
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
73cfcf
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
73cfcf
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
73cfcf
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
73cfcf
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
73cfcf
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
73cfcf
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
73cfcf
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
73cfcf
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
73cfcf
+ */
73cfcf
+
73cfcf
+#include "config.h"
73cfcf
+#include <stdio.h>
73cfcf
+#include <string.h>
73cfcf
+#include <unistd.h>
73cfcf
+#include <stdint.h>
73cfcf
+#include <stdlib.h>
73cfcf
+#include <errno.h>
73cfcf
+#include <time.h>
73cfcf
+#include <pwd.h>
73cfcf
+#include <syslog.h>
73cfcf
+
73cfcf
+#ifdef HAVE_LIBAUDIT
73cfcf
+#include <libaudit.h>
73cfcf
+#endif
73cfcf
+
73cfcf
+#include <security/pam_modules.h>
73cfcf
+#include <security/pam_modutil.h>
73cfcf
+#include <security/pam_ext.h>
73cfcf
+
73cfcf
+#include "faillock.h"
73cfcf
+
73cfcf
+#define PAM_SM_AUTH
73cfcf
+#define PAM_SM_ACCOUNT
73cfcf
+
73cfcf
+#define FAILLOCK_ACTION_PREAUTH  0
73cfcf
+#define FAILLOCK_ACTION_AUTHSUCC 1
73cfcf
+#define FAILLOCK_ACTION_AUTHFAIL 2
73cfcf
+
73cfcf
+#define FAILLOCK_FLAG_DENY_ROOT		0x1
73cfcf
+#define FAILLOCK_FLAG_AUDIT		0x2
73cfcf
+#define FAILLOCK_FLAG_SILENT		0x4
73cfcf
+#define FAILLOCK_FLAG_NO_LOG_INFO	0x8
73cfcf
+#define FAILLOCK_FLAG_UNLOCKED		0x10
73cfcf
+
73cfcf
+#define MAX_TIME_INTERVAL 604800 /* 7 days */
73cfcf
+
73cfcf
+struct options {
73cfcf
+	unsigned int action;
73cfcf
+	unsigned int flags;
73cfcf
+	unsigned short deny;
73cfcf
+	unsigned int fail_interval;
73cfcf
+	unsigned int unlock_time;
73cfcf
+	unsigned int root_unlock_time;
73cfcf
+	const char *dir;
73cfcf
+	const char *user;
73cfcf
+	int failures;
73cfcf
+	uint64_t latest_time;
73cfcf
+	uid_t uid;
73cfcf
+	uint64_t now;
73cfcf
+};
73cfcf
+
73cfcf
+static void
73cfcf
+args_parse(pam_handle_t *pamh, int argc, const char **argv,
73cfcf
+		int flags, struct options *opts)
73cfcf
+{
73cfcf
+	int i;
73cfcf
+	memset(opts, 0, sizeof(*opts));
73cfcf
+
73cfcf
+	opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
73cfcf
+	opts->deny = 3;
73cfcf
+	opts->fail_interval = 900;
73cfcf
+	opts->unlock_time = 600;
73cfcf
+	opts->root_unlock_time = MAX_TIME_INTERVAL+1;
73cfcf
+
73cfcf
+	for (i = 0; i < argc; ++i) {
73cfcf
+
73cfcf
+		if (strncmp(argv[i], "dir=", 4) == 0) {
73cfcf
+			if (argv[i][4] != '/') {
73cfcf
+				pam_syslog(pamh, LOG_ERR,
73cfcf
+					"Tally directory is not absolute path (%s); keeping default", argv[i]);
73cfcf
+	        	} else {
73cfcf
+			        opts->dir = argv[i]+4;
73cfcf
+			}
73cfcf
+		} 
73cfcf
+		else if (strncmp(argv[i], "deny=", 5) == 0) {
73cfcf
+			if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) {
73cfcf
+				pam_syslog(pamh, LOG_ERR,
73cfcf
+					"Bad number supplied for deny argument");
73cfcf
+        		}
73cfcf
+		}
73cfcf
+		else if (strncmp(argv[i], "fail_interval=", 14) == 0) {
73cfcf
+			unsigned int temp;
73cfcf
+			if (sscanf(argv[i]+14, "%u", &temp) != 1 ||
73cfcf
+				temp > MAX_TIME_INTERVAL) {
73cfcf
+				pam_syslog(pamh, LOG_ERR,
73cfcf
+					"Bad number supplied for fail_interval argument");
73cfcf
+	        	} else {
73cfcf
+				opts->fail_interval = temp;
73cfcf
+			}
73cfcf
+		}
73cfcf
+		else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
73cfcf
+			unsigned int temp;
73cfcf
+
73cfcf
+			if (strcmp(argv[i]+12, "never") == 0) {
73cfcf
+				opts->unlock_time = 0;
73cfcf
+			}
73cfcf
+			else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
73cfcf
+				temp > MAX_TIME_INTERVAL) {
73cfcf
+				pam_syslog(pamh, LOG_ERR,
73cfcf
+					"Bad number supplied for unlock_time argument");
73cfcf
+			}
73cfcf
+			else {
73cfcf
+				opts->unlock_time = temp;
73cfcf
+			}
73cfcf
+		}
73cfcf
+		else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
73cfcf
+			unsigned int temp;
73cfcf
+
73cfcf
+			if (strcmp(argv[i]+17, "never") == 0) {
73cfcf
+				opts->root_unlock_time = 0;
73cfcf
+			}
73cfcf
+			else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
73cfcf
+				temp > MAX_TIME_INTERVAL) {
73cfcf
+				pam_syslog(pamh, LOG_ERR,
73cfcf
+					"Bad number supplied for root_unlock_time argument");
73cfcf
+			} else {
73cfcf
+				opts->root_unlock_time = temp;
73cfcf
+			}
73cfcf
+		}
73cfcf
+ 		else if (strcmp(argv[i], "preauth") == 0) {
73cfcf
+			opts->action = FAILLOCK_ACTION_PREAUTH;
73cfcf
+		}
73cfcf
+ 		else if (strcmp(argv[i], "authfail") == 0) {
73cfcf
+			opts->action = FAILLOCK_ACTION_AUTHFAIL;
73cfcf
+		}
73cfcf
+	 	else if (strcmp(argv[i], "authsucc") == 0) {
73cfcf
+			opts->action = FAILLOCK_ACTION_AUTHSUCC;
73cfcf
+		}
73cfcf
+	 	else if (strcmp(argv[i], "even_deny_root") == 0) {
73cfcf
+			opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
73cfcf
+		}
73cfcf
+	 	else if (strcmp(argv[i], "audit") == 0) {
73cfcf
+			opts->flags |= FAILLOCK_FLAG_AUDIT;
73cfcf
+		}
73cfcf
+	 	else if (strcmp(argv[i], "silent") == 0) {
73cfcf
+			opts->flags |= FAILLOCK_FLAG_SILENT;
73cfcf
+		}
73cfcf
+	 	else if (strcmp(argv[i], "no_log_info") == 0) {
73cfcf
+			opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]);
73cfcf
+		}
73cfcf
+	}
73cfcf
+
73cfcf
+	if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
73cfcf
+		opts->root_unlock_time = opts->unlock_time;
73cfcf
+	if (flags & PAM_SILENT)
73cfcf
+		opts->flags |= FAILLOCK_FLAG_SILENT;
73cfcf
+}
73cfcf
+
73cfcf
+static int get_pam_user(pam_handle_t *pamh, struct options *opts)
73cfcf
+{
73cfcf
+	const char *user;
73cfcf
+	int rv;
73cfcf
+	struct passwd *pwd;
73cfcf
+
73cfcf
+	if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
73cfcf
+		return rv;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (*user == '\0') {
73cfcf
+		return PAM_IGNORE;
73cfcf
+	}
73cfcf
+
73cfcf
+	if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
73cfcf
+		if (opts->flags & FAILLOCK_FLAG_AUDIT) {
73cfcf
+			pam_syslog(pamh, LOG_ERR, "User unknown: %s", user);
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			pam_syslog(pamh, LOG_ERR, "User unknown");
73cfcf
+		}
73cfcf
+		return PAM_IGNORE;
73cfcf
+	}
73cfcf
+	opts->user = user;
73cfcf
+	opts->uid = pwd->pw_uid;
73cfcf
+	return PAM_SUCCESS;
73cfcf
+}
73cfcf
+
73cfcf
+static int
73cfcf
+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
73cfcf
+{
73cfcf
+	int tfd;
73cfcf
+	unsigned int i;
73cfcf
+	uint64_t latest_time;
73cfcf
+	int failures;
73cfcf
+
73cfcf
+	opts->now = time(NULL);
73cfcf
+
73cfcf
+	tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
73cfcf
+
73cfcf
+	*fd = tfd;
73cfcf
+
73cfcf
+	if (tfd == -1) {
73cfcf
+		if (errno == EACCES || errno == ENOENT) {
73cfcf
+			return PAM_SUCCESS;
73cfcf
+		}
73cfcf
+		pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
73cfcf
+		return PAM_SYSTEM_ERR;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (read_tally(tfd, tallies) != 0) {
73cfcf
+		pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user);
73cfcf
+		return PAM_SYSTEM_ERR;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
+		return PAM_SUCCESS;
73cfcf
+	}
73cfcf
+
73cfcf
+	latest_time = 0;
73cfcf
+	for(i = 0; i < tallies->count; i++) {
73cfcf
+		if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
73cfcf
+			tallies->records[i].time > latest_time)
73cfcf
+			latest_time = tallies->records[i].time;
73cfcf
+	}
73cfcf
+
73cfcf
+	opts->latest_time = latest_time;
73cfcf
+
73cfcf
+	failures = 0;
73cfcf
+	for(i = 0; i < tallies->count; i++) {
73cfcf
+		if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
73cfcf
+			latest_time - tallies->records[i].time < opts->fail_interval) {
73cfcf
+			++failures;
73cfcf
+		}
73cfcf
+	}
73cfcf
+
73cfcf
+	opts->failures = failures;
73cfcf
+
73cfcf
+	if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
+		return PAM_SUCCESS;
73cfcf
+	}
73cfcf
+
73cfcf
+	if (opts->deny && failures >= opts->deny) {
73cfcf
+		if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
73cfcf
+			(!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
73cfcf
+#ifdef HAVE_LIBAUDIT
73cfcf
+			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
73cfcf
+				char buf[64];
73cfcf
+				int audit_fd;
73cfcf
+				const void *rhost = NULL, *tty = NULL;
73cfcf
+
73cfcf
+				audit_fd = audit_open();
73cfcf
+				/* If there is an error & audit support is in the kernel report error */
73cfcf
+				if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
73cfcf
+					errno == EAFNOSUPPORT))
73cfcf
+					return PAM_SYSTEM_ERR;
73cfcf
+
73cfcf
+				(void)pam_get_item(pamh, PAM_TTY, &tty);
73cfcf
+				(void)pam_get_item(pamh, PAM_RHOST, &rhost);
73cfcf
+				snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
73cfcf
+				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
73cfcf
+					rhost, NULL, tty, 1);
73cfcf
+			}
73cfcf
+#endif
73cfcf
+			opts->flags |= FAILLOCK_FLAG_UNLOCKED;
73cfcf
+			return PAM_SUCCESS;
73cfcf
+		}
73cfcf
+		return PAM_AUTH_ERR;
73cfcf
+	}
73cfcf
+	return PAM_SUCCESS;
73cfcf
+}
73cfcf
+
73cfcf
+static void
73cfcf
+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
73cfcf
+{
73cfcf
+	int rv;
73cfcf
+
73cfcf
+	if (*fd == -1) {
73cfcf
+		*fd = open_tally(opts->dir, opts->user, opts->uid, 1);
73cfcf
+	}
73cfcf
+	else {
73cfcf
+		while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
73cfcf
+		if (rv == -1) {
73cfcf
+			pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
73cfcf
+		}
73cfcf
+	}
73cfcf
+}
73cfcf
+
73cfcf
+static int
73cfcf
+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
73cfcf
+{
73cfcf
+	struct tally *records;
73cfcf
+	unsigned int i;
73cfcf
+	int failures;
73cfcf
+	unsigned int oldest;
73cfcf
+	uint64_t oldtime;
73cfcf
+	const void *source = NULL;
73cfcf
+
73cfcf
+	if (*fd == -1) {
73cfcf
+		*fd = open_tally(opts->dir, opts->user, opts->uid, 1);
73cfcf
+	}
73cfcf
+	if (*fd == -1) {
73cfcf
+		if (errno == EACCES) {
73cfcf
+			return PAM_SUCCESS;
73cfcf
+		}
73cfcf
+		pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
73cfcf
+		return PAM_SYSTEM_ERR;
73cfcf
+	}
73cfcf
+
73cfcf
+	oldtime = 0;
73cfcf
+	oldest = 0;
73cfcf
+	failures = 0;
73cfcf
+
73cfcf
+	for (i = 0; i < tallies->count; ++i) {
73cfcf
+		if (tallies->records[i].time < oldtime) {
73cfcf
+			oldtime = tallies->records[i].time;
73cfcf
+			oldest = i;
73cfcf
+		}
73cfcf
+		if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
73cfcf
+			opts->now - tallies->records[i].time >= opts->fail_interval ) {
73cfcf
+			tallies->records[i].status &= ~TALLY_STATUS_VALID;
73cfcf
+		} else {
73cfcf
+			++failures;
73cfcf
+		}
73cfcf
+	}
73cfcf
+
73cfcf
+	if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) {
73cfcf
+		oldest = tallies->count;
73cfcf
+
73cfcf
+		if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) {
73cfcf
+			pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m");
73cfcf
+			return PAM_BUF_ERR;
73cfcf
+		}
73cfcf
+
73cfcf
+		++tallies->count;
73cfcf
+		tallies->records = records;
73cfcf
+	}
73cfcf
+
73cfcf
+	memset(&tallies->records[oldest], 0, sizeof (*tallies->records));
73cfcf
+
73cfcf
+	tallies->records[oldest].status = TALLY_STATUS_VALID;
73cfcf
+	if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) {
73cfcf
+		if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) {
73cfcf
+			if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) {
73cfcf
+				source = "";
73cfcf
+			}
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			tallies->records[oldest].status |= TALLY_STATUS_TTY;
73cfcf
+		}
73cfcf
+	}
73cfcf
+	else {
73cfcf
+		tallies->records[oldest].status |= TALLY_STATUS_RHOST;
73cfcf
+	}
73cfcf
+
73cfcf
+	strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source));
73cfcf
+	/* source does not have to be null terminated */
73cfcf
+	
73cfcf
+	tallies->records[oldest].time = opts->now;
73cfcf
+
73cfcf
+	++failures;
73cfcf
+
73cfcf
+	if (opts->deny && failures == opts->deny) {
73cfcf
+#ifdef HAVE_LIBAUDIT
73cfcf
+		char buf[64];
73cfcf
+		int audit_fd;
73cfcf
+
73cfcf
+		audit_fd = audit_open();
73cfcf
+		/* If there is an error & audit support is in the kernel report error */
73cfcf
+		if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
73cfcf
+			errno == EAFNOSUPPORT))
73cfcf
+			return PAM_SYSTEM_ERR;
73cfcf
+
73cfcf
+		snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
73cfcf
+		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
73cfcf
+			NULL, NULL, NULL, 1);
73cfcf
+
73cfcf
+		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
73cfcf
+			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
73cfcf
+				NULL, NULL, NULL, 1);
73cfcf
+		}
73cfcf
+		close(audit_fd);
73cfcf
+#endif
73cfcf
+		if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
73cfcf
+			pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
73cfcf
+				opts->user);
73cfcf
+		}
73cfcf
+	}
73cfcf
+
73cfcf
+	if (update_tally(*fd, tallies) == 0)
73cfcf
+		return PAM_SUCCESS;
73cfcf
+
73cfcf
+	return PAM_SYSTEM_ERR;
73cfcf
+}
73cfcf
+
73cfcf
+static void
73cfcf
+faillock_message(pam_handle_t *pamh, struct options *opts)
73cfcf
+{
73cfcf
+	int64_t left;
73cfcf
+
73cfcf
+	if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
73cfcf
+		if (opts->uid) {
73cfcf
+			left = opts->latest_time + opts->unlock_time - opts->now;
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			left = opts->latest_time + opts->root_unlock_time - opts->now;
73cfcf
+		}
73cfcf
+
73cfcf
+		if (left > 0) {
73cfcf
+			left = (left + 59)/60; /* minutes */
73cfcf
+
73cfcf
+			pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
73cfcf
+				opts->failures);
73cfcf
+			pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
73cfcf
+		}
73cfcf
+		else {
73cfcf
+			pam_info(pamh, _("Account locked due to %d failed logins"),
73cfcf
+				opts->failures);
73cfcf
+		}
73cfcf
+	}
73cfcf
+}
73cfcf
+
73cfcf
+static void
73cfcf
+tally_cleanup(struct tally_data *tallies, int fd)
73cfcf
+{
73cfcf
+	if (fd != -1) {
73cfcf
+		close(fd);
73cfcf
+	}
73cfcf
+
73cfcf
+	free(tallies->records);
73cfcf
+}
73cfcf
+
73cfcf
+/*---------------------------------------------------------------------*/
73cfcf
+
73cfcf
+PAM_EXTERN int
73cfcf
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
73cfcf
+		    int argc, const char **argv)
73cfcf
+{
73cfcf
+	struct options opts;
73cfcf
+	int rv, fd = -1;
73cfcf
+	struct tally_data tallies;
73cfcf
+
73cfcf
+	memset(&tallies, 0, sizeof(tallies));
73cfcf
+
73cfcf
+	args_parse(pamh, argc, argv, flags, &opts);
73cfcf
+
73cfcf
+	pam_fail_delay(pamh, 2000000);	/* 2 sec delay for on failure */
73cfcf
+
73cfcf
+	if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
73cfcf
+		return rv;
73cfcf
+	}
73cfcf
+
73cfcf
+	switch (opts.action) {
73cfcf
+		case FAILLOCK_ACTION_PREAUTH:
73cfcf
+			rv = check_tally(pamh, &opts, &tallies, &fd;;
73cfcf
+			if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
73cfcf
+				faillock_message(pamh, &opts);
73cfcf
+			}
73cfcf
+                        break;
73cfcf
+
73cfcf
+		case FAILLOCK_ACTION_AUTHSUCC:
73cfcf
+			rv = check_tally(pamh, &opts, &tallies, &fd;;
73cfcf
+			if (rv == PAM_SUCCESS) {
73cfcf
+				reset_tally(pamh, &opts, &fd;;
73cfcf
+			}
73cfcf
+                        break;
73cfcf
+
73cfcf
+		case FAILLOCK_ACTION_AUTHFAIL:
73cfcf
+			rv = check_tally(pamh, &opts, &tallies, &fd;;
73cfcf
+			if (rv == PAM_SUCCESS) {
73cfcf
+				rv = PAM_IGNORE; /* this return value should be ignored */
73cfcf
+				write_tally(pamh, &opts, &tallies, &fd;;
73cfcf
+			}
73cfcf
+			break;
73cfcf
+	}
73cfcf
+
73cfcf
+	tally_cleanup(&tallies, fd);
73cfcf
+
73cfcf
+	return rv;
73cfcf
+}
73cfcf
+
73cfcf
+/*---------------------------------------------------------------------*/
73cfcf
+
73cfcf
+PAM_EXTERN int
73cfcf
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
73cfcf
+	       int argc UNUSED, const char **argv UNUSED)
73cfcf
+{
73cfcf
+	return PAM_SUCCESS;
73cfcf
+}
73cfcf
+
73cfcf
+/*---------------------------------------------------------------------*/
73cfcf
+
73cfcf
+PAM_EXTERN int
73cfcf
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
73cfcf
+		 int argc, const char **argv)
73cfcf
+{
73cfcf
+	struct options opts;
73cfcf
+	int rv, fd = -1;
73cfcf
+	struct tally_data tallies;
73cfcf
+
73cfcf
+	memset(&tallies, 0, sizeof(tallies));
73cfcf
+
73cfcf
+	args_parse(pamh, argc, argv, flags, &opts);
73cfcf
+
73cfcf
+	opts.action = FAILLOCK_ACTION_AUTHSUCC;
73cfcf
+
73cfcf
+	if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
73cfcf
+		return rv;
73cfcf
+	}
73cfcf
+
73cfcf
+	check_tally(pamh, &opts, &tallies, &fd;; /* for auditing */
73cfcf
+	reset_tally(pamh, &opts, &fd;;
73cfcf
+
73cfcf
+	tally_cleanup(&tallies, fd);
73cfcf
+
73cfcf
+	return PAM_SUCCESS;
73cfcf
+}
73cfcf
+
73cfcf
+/*-----------------------------------------------------------------------*/
73cfcf
+
73cfcf
+#ifdef PAM_STATIC
73cfcf
+
73cfcf
+/* static module data */
73cfcf
+
73cfcf
+struct pam_module _pam_faillock_modstruct = {
73cfcf
+     MODULE_NAME,
73cfcf
+#ifdef PAM_SM_AUTH
73cfcf
+     pam_sm_authenticate,
73cfcf
+     pam_sm_setcred,
73cfcf
+#else
73cfcf
+     NULL,
73cfcf
+     NULL,
73cfcf
+#endif
73cfcf
+#ifdef PAM_SM_ACCOUNT
73cfcf
+     pam_sm_acct_mgmt,
73cfcf
+#else
73cfcf
+     NULL,
73cfcf
+#endif
73cfcf
+     NULL,
73cfcf
+     NULL,
73cfcf
+     NULL,
73cfcf
+};
73cfcf
+
73cfcf
+#endif   /* #ifdef PAM_STATIC */
73cfcf
+
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml.faillock	2016-04-04 16:37:38.696260359 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/pam_faillock.8.xml	2016-04-28 17:09:04.679596165 +0200
73cfcf
@@ -0,0 +1,408 @@
73cfcf
+
73cfcf
+
73cfcf
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
73cfcf
+
73cfcf
+<refentry id="pam_faillock">
73cfcf
+
73cfcf
+  <refmeta>
73cfcf
+    <refentrytitle>pam_faillock</refentrytitle>
73cfcf
+    <manvolnum>8</manvolnum>
73cfcf
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
73cfcf
+  </refmeta>
73cfcf
+
73cfcf
+  <refnamediv id="pam_faillock-name">
73cfcf
+    <refname>pam_faillock</refname>
73cfcf
+    <refpurpose>Module counting authentication failures during a specified interval</refpurpose>
73cfcf
+  </refnamediv>
73cfcf
+
73cfcf
+  <refsynopsisdiv>
73cfcf
+    <cmdsynopsis id="pam_faillock-cmdsynopsisauth">
73cfcf
+      <command>auth ... pam_faillock.so</command>
73cfcf
+      <arg choice="req">
73cfcf
+        preauth|authfail|authsucc
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        dir=<replaceable>/path/to/tally-directory</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        even_deny_root
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        deny=<replaceable>n</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        fail_interval=<replaceable>n</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        unlock_time=<replaceable>n</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        root_unlock_time=<replaceable>n</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        audit
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        silent
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        no_log_info
73cfcf
+      </arg>
73cfcf
+    </cmdsynopsis>
73cfcf
+    <cmdsynopsis id="pam_faillock-cmdsynopsisacct">
73cfcf
+      <command>account ... pam_faillock.so</command>
73cfcf
+      <arg choice="opt">
73cfcf
+        dir=<replaceable>/path/to/tally-directory</replaceable>
73cfcf
+      </arg>
73cfcf
+      <arg choice="opt">
73cfcf
+        no_log_info
73cfcf
+      </arg>
73cfcf
+    </cmdsynopsis>
73cfcf
+  </refsynopsisdiv>
73cfcf
+
73cfcf
+  <refsect1 id="pam_faillock-description">
73cfcf
+
73cfcf
+    <title>DESCRIPTION</title>
73cfcf
+
73cfcf
+    <para>
73cfcf
+      This module maintains a list of failed authentication attempts per
73cfcf
+      user during a specified interval and locks the account in case
73cfcf
+      there were more than <replaceable>deny</replaceable> consecutive
73cfcf
+      failed authentications.
73cfcf
+    </para>
73cfcf
+    <para>
73cfcf
+      Normally, failed attempts to authenticate <emphasis>root</emphasis> will
73cfcf
+      <emphasis remap='B'>not</emphasis> cause the root account to become
73cfcf
+      blocked, to prevent denial-of-service: if your users aren't given
73cfcf
+      shell accounts and root may only login via <command>su</command> or
73cfcf
+      at the machine console (not telnet/rsh, etc), this is safe.
73cfcf
+    </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id="pam_faillock-options">
73cfcf
+
73cfcf
+    <title>OPTIONS</title>
73cfcf
+         <variablelist>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>{preauth|authfail|authsucc}</option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  This argument must be set accordingly to the position of this module
73cfcf
+                  instance in the PAM stack.
73cfcf
+                </para>
73cfcf
+                <para>
73cfcf
+                  The <emphasis>preauth</emphasis> argument must be used when the module
73cfcf
+                  is called before the modules which ask for the user credentials such
73cfcf
+                  as the password. The module just examines whether the user should
73cfcf
+                  be blocked from accessing the service in case there were anomalous
73cfcf
+                  number of failed consecutive authentication attempts recently. This
73cfcf
+                  call is optional if <emphasis>authsucc</emphasis> is used.
73cfcf
+                </para>
73cfcf
+                <para>
73cfcf
+                  The <emphasis>authfail</emphasis> argument must be used when the module
73cfcf
+                  is called after the modules which determine the authentication outcome,
73cfcf
+                  failed. Unless the user is already blocked due to previous authentication
73cfcf
+                  failures, the module will record the failure into the appropriate user
73cfcf
+                  tally file.
73cfcf
+                </para>
73cfcf
+                <para>
73cfcf
+                  The <emphasis>authsucc</emphasis> argument must be used when the module
73cfcf
+                  is called after the modules which determine the authentication outcome,
73cfcf
+                  succeded. Unless the user is already blocked due to previous authentication
73cfcf
+                  failures, the module will then clear the record of the failures in the
73cfcf
+                  respective user tally file. Otherwise it will return authentication error.
73cfcf
+                  If this call is not done, the pam_faillock will not distinguish between
73cfcf
+                  consecutive and non-consecutive failed authentication attempts. The
73cfcf
+                  <emphasis>preauth</emphasis> call must be used in such case. Due to
73cfcf
+                  complications in the way the PAM stack can be configured it is also
73cfcf
+                  possible to call <emphasis>pam_faillock</emphasis> as an account module.
73cfcf
+                  In such configuration the module must be also called in the
73cfcf
+                  <emphasis>preauth</emphasis> stage.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  The directory where the user files with the failure records are kept. The
73cfcf
+                  default is <filename>/var/run/faillock</filename>.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>audit</option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  Will log the user name into the system log if the user is not found.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>silent</option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  Don't print informative messages. This option is implicite
73cfcf
+                  in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>
73cfcf
+                  functions.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>no_log_info</option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>deny=<replaceable>n</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  Deny access if the number of consecutive authentication failures
73cfcf
+                  for this user during the recent interval exceeds
73cfcf
+                  <replaceable>n</replaceable>. The default is 3.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>fail_interval=<replaceable>n</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  The length of the interval during which the consecutive
73cfcf
+                  authentication failures must happen for the user account
73cfcf
+                  lock out is <replaceable>n</replaceable> seconds.
73cfcf
+                  The default is 900 (15 minutes).
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>unlock_time=<replaceable>n</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  The access will be reenabled after
73cfcf
+                  <replaceable>n</replaceable> seconds after the lock out.
73cfcf
+                  The value 0 has the same meaning as value
73cfcf
+                  <emphasis>never</emphasis> - the access
73cfcf
+                  will not be reenabled without resetting the faillock
73cfcf
+                  entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
73cfcf
+                  The default is 600 (10 minutes).
73cfcf
+                </para>
73cfcf
+                <para>
73cfcf
+                  Note that the default directory that <emphasis>pam_faillock</emphasis>
73cfcf
+                  uses is usually cleared on system boot so the access will be also reenabled
73cfcf
+                  after system reboot. If that is undesirable a different tally directory
73cfcf
+                  must be set with the <option>dir</option> option.
73cfcf
+                </para>
73cfcf
+                <para>
73cfcf
+                  Also note that it is usually undesirable to permanently lock
73cfcf
+                  out the users as they can become easily a target of denial of service
73cfcf
+                  attack unless the usernames are random and kept secret to potential
73cfcf
+                  attackers.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>even_deny_root</option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  Root account can become locked as well as regular accounts.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+            <varlistentry>
73cfcf
+              <term>
73cfcf
+                <option>root_unlock_time=<replaceable>n</replaceable></option>
73cfcf
+              </term>
73cfcf
+              <listitem>
73cfcf
+                <para>
73cfcf
+                  This option implies <option>even_deny_root</option> option.
73cfcf
+                  Allow access after <replaceable>n</replaceable> seconds
73cfcf
+                  to root account after the account is locked. In case the
73cfcf
+                  option is not specified the value is the same as of the
73cfcf
+                  <option>unlock_time</option> option.
73cfcf
+                </para>
73cfcf
+              </listitem>
73cfcf
+            </varlistentry>
73cfcf
+        </variablelist>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id="pam_faillock-types">
73cfcf
+    <title>MODULE TYPES PROVIDED</title>
73cfcf
+    <para>
73cfcf
+      The <option>auth</option> and <option>account</option> module types are
73cfcf
+      provided.
73cfcf
+    </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='pam_faillock-return_values'>
73cfcf
+    <title>RETURN VALUES</title>
73cfcf
+    <variablelist>
73cfcf
+      <varlistentry>
73cfcf
+        <term>PAM_AUTH_ERR</term>
73cfcf
+        <listitem>
73cfcf
+          <para>
73cfcf
+            A invalid option was given, the module was not able
73cfcf
+            to retrieve the user name, no valid counter file
73cfcf
+            was found, or too many failed logins.
73cfcf
+          </para>
73cfcf
+        </listitem>
73cfcf
+      </varlistentry>
73cfcf
+      <varlistentry>
73cfcf
+        <term>PAM_SUCCESS</term>
73cfcf
+        <listitem>
73cfcf
+          <para>
73cfcf
+            Everything was successful.
73cfcf
+          </para>
73cfcf
+        </listitem>
73cfcf
+      </varlistentry>
73cfcf
+      <varlistentry>
73cfcf
+        <term>PAM_IGNORE</term>
73cfcf
+        <listitem>
73cfcf
+          <para>
73cfcf
+            User not present in passwd database.
73cfcf
+          </para>
73cfcf
+        </listitem>
73cfcf
+      </varlistentry>
73cfcf
+    </variablelist>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='pam_faillock-notes'>
73cfcf
+    <title>NOTES</title>
73cfcf
+    <para>
73cfcf
+      <emphasis>pam_faillock</emphasis> setup in the PAM stack is different
73cfcf
+      from the <emphasis>pam_tally2</emphasis> module setup.
73cfcf
+    </para>
73cfcf
+    <para>
73cfcf
+      The individual files with the failure records are created as owned by
73cfcf
+      the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
73cfcf
+      to work correctly when it is called from a screensaver.
73cfcf
+    </para>
73cfcf
+    <para>
73cfcf
+      Note that using the module in <option>preauth</option> without the
73cfcf
+      <option>silent</option> option or with <emphasis>requisite</emphasis>
73cfcf
+      control field leaks an information about existence or
73cfcf
+      non-existence of an user account in the system because
73cfcf
+      the failures are not recorded for the unknown users. The message
73cfcf
+      about the user account being locked is never displayed for nonexisting
73cfcf
+      user accounts allowing the adversary to infer that a particular account
73cfcf
+      is not existing on a system.
73cfcf
+    </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='pam_faillock-examples'>
73cfcf
+    <title>EXAMPLES</title>
73cfcf
+    <para>
73cfcf
+      Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>.
73cfcf
+      They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive
73cfcf
+      failed logins during the default interval of 15 minutes. Root account will be locked
73cfcf
+      as well. The accounts will be automatically unlocked after 20 minutes.
73cfcf
+    </para>
73cfcf
+    <para>
73cfcf
+      In the first example the module is called only in the <emphasis>auth</emphasis>
73cfcf
+      phase and the module does not print any information about the account blocking
73cfcf
+      by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can
73cfcf
+      be added to tell the user that his login is blocked by the module and also to abort
73cfcf
+      the authentication without even asking for password in such case.
73cfcf
+    </para>
73cfcf
+    <programlisting>
73cfcf
+auth     required       pam_securetty.so
73cfcf
+auth     required       pam_env.so
73cfcf
+auth     required       pam_nologin.so
73cfcf
+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
73cfcf
+# to display the message about account being locked
73cfcf
+auth     [success=1 default=bad] pam_unix.so
73cfcf
+auth     [default=die]  pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
73cfcf
+auth     sufficient     pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
73cfcf
+auth     required       pam_deny.so
73cfcf
+account  required       pam_unix.so
73cfcf
+password required       pam_unix.so shadow
73cfcf
+session  required       pam_selinux.so close
73cfcf
+session  required       pam_loginuid.so
73cfcf
+session  required       pam_unix.so
73cfcf
+session  required       pam_selinux.so open
73cfcf
+    </programlisting>
73cfcf
+    <para>
73cfcf
+      In the second example the module is called both in the <emphasis>auth</emphasis>
73cfcf
+      and <emphasis>account</emphasis> phases and the module gives the authenticating
73cfcf
+      user message when the account is locked 
73cfcf
+    </para>
73cfcf
+    <programlisting>
73cfcf
+auth     required       pam_securetty.so
73cfcf
+auth     required       pam_env.so
73cfcf
+auth     required       pam_nologin.so
73cfcf
+auth     required       pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200
73cfcf
+# optionally use requisite above if you do not want to prompt for the password
73cfcf
+# on locked accounts, possibly with removing the silent option as well
73cfcf
+auth     sufficient     pam_unix.so
73cfcf
+auth     [default=die]  pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
73cfcf
+auth     required       pam_deny.so
73cfcf
+account  required       pam_faillock.so
73cfcf
+# if you drop the above call to pam_faillock.so the lock will be done also
73cfcf
+# on non-consecutive authentication failures
73cfcf
+account  required       pam_unix.so
73cfcf
+password required       pam_unix.so shadow
73cfcf
+session  required       pam_selinux.so close
73cfcf
+session  required       pam_loginuid.so
73cfcf
+session  required       pam_unix.so
73cfcf
+session  required       pam_selinux.so open
73cfcf
+    </programlisting>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id="pam_faillock-files">
73cfcf
+    <title>FILES</title>
73cfcf
+    <variablelist>
73cfcf
+      <varlistentry>
73cfcf
+        <term><filename>/var/run/faillock/*</filename></term>
73cfcf
+        <listitem>
73cfcf
+          <para>the files logging the authentication failures for users</para>
73cfcf
+        </listitem>
73cfcf
+      </varlistentry>
73cfcf
+    </variablelist>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='pam_faillock-see_also'>
73cfcf
+    <title>SEE ALSO</title>
73cfcf
+    <para>
73cfcf
+      <citerefentry>
73cfcf
+        <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
73cfcf
+      </citerefentry>,
73cfcf
+      <citerefentry>
73cfcf
+        <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
73cfcf
+      </citerefentry>,
73cfcf
+      <citerefentry>
73cfcf
+        <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
73cfcf
+      </citerefentry>,
73cfcf
+      <citerefentry>
73cfcf
+        <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
73cfcf
+      </citerefentry>
73cfcf
+    </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+  <refsect1 id='pam_faillock-author'>
73cfcf
+    <title>AUTHOR</title>
73cfcf
+      <para>
73cfcf
+        pam_faillock was written by Tomas Mraz.
73cfcf
+      </para>
73cfcf
+  </refsect1>
73cfcf
+
73cfcf
+</refentry>
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.2.1/modules/pam_faillock/README.xml
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/README.xml.faillock	2015-06-25 10:42:21.483374875 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/README.xml	2015-06-25 10:42:21.483374875 +0200
73cfcf
@@ -0,0 +1,46 @@
73cfcf
+
73cfcf
+
73cfcf
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
73cfcf
+[
73cfcf
+
73cfcf
+
73cfcf
+-->
73cfcf
+]>
73cfcf
+
73cfcf
+<article>
73cfcf
+
73cfcf
+  <articleinfo>
73cfcf
+
73cfcf
+    <title>
73cfcf
+      
73cfcf
+      href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/>
73cfcf
+    </title>
73cfcf
+
73cfcf
+  </articleinfo>
73cfcf
+
73cfcf
+  <section>
73cfcf
+    
73cfcf
+      href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
73cfcf
+  </section>
73cfcf
+
73cfcf
+  <section>
73cfcf
+    
73cfcf
+      href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
73cfcf
+  </section>
73cfcf
+
73cfcf
+  <section>
73cfcf
+    
73cfcf
+      href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/>
73cfcf
+  </section>
73cfcf
+
73cfcf
+  <section>
73cfcf
+    
73cfcf
+      href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
73cfcf
+  </section>
73cfcf
+
73cfcf
+  <section>
73cfcf
+    
73cfcf
+      href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
73cfcf
+  </section>
73cfcf
+
73cfcf
+</article>
73cfcf
diff -up Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock
73cfcf
--- Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock.faillock	2015-06-25 10:42:21.483374875 +0200
73cfcf
+++ Linux-PAM-1.2.1/modules/pam_faillock/tst-pam_faillock	2015-06-25 10:42:21.483374875 +0200
73cfcf
@@ -0,0 +1,2 @@
73cfcf
+#!/bin/sh
73cfcf
+../../tests/tst-dlopen .libs/pam_faillock.so