|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.c
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.c.faillock-update 2019-10-16 16:49:27.026893768 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.c 2019-12-16 17:55:27.042001068 +0100
|
|
|
a46dbe |
@@ -1,5 +1,6 @@
|
|
|
a46dbe |
/*
|
|
|
a46dbe |
* Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
|
|
a46dbe |
+ * Copyright (c) 2010, 2016, 2017 Red Hat, Inc.
|
|
|
a46dbe |
*
|
|
|
a46dbe |
* Redistribution and use in source and binary forms, with or without
|
|
|
a46dbe |
* modification, are permitted provided that the following conditions
|
|
|
a46dbe |
@@ -47,6 +48,8 @@
|
|
|
a46dbe |
|
|
|
a46dbe |
#include "faillock.h"
|
|
|
a46dbe |
|
|
|
a46dbe |
+#define ignore_return(x) if (1==((int)x)) {;}
|
|
|
a46dbe |
+
|
|
|
a46dbe |
int
|
|
|
a46dbe |
open_tally (const char *dir, const char *user, uid_t uid, int create)
|
|
|
a46dbe |
{
|
|
|
a46dbe |
@@ -54,7 +57,7 @@ open_tally (const char *dir, const char
|
|
|
a46dbe |
int flags = O_RDWR;
|
|
|
a46dbe |
int fd;
|
|
|
a46dbe |
|
|
|
a46dbe |
- if (strstr(user, "../") != NULL)
|
|
|
a46dbe |
+ if (dir == NULL || strstr(user, "../") != NULL)
|
|
|
a46dbe |
/* just a defensive programming as the user must be a
|
|
|
a46dbe |
* valid user on the system anyway
|
|
|
a46dbe |
*/
|
|
|
a46dbe |
@@ -83,7 +86,7 @@ open_tally (const char *dir, const char
|
|
|
a46dbe |
while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
|
|
|
a46dbe |
if (fstat(fd, &st) == 0) {
|
|
|
a46dbe |
if (st.st_uid != uid) {
|
|
|
a46dbe |
- fchown(fd, uid, -1);
|
|
|
a46dbe |
+ ignore_return(fchown(fd, uid, -1));
|
|
|
a46dbe |
}
|
|
|
a46dbe |
}
|
|
|
a46dbe |
}
|
|
|
a46dbe |
@@ -121,7 +124,7 @@ read_tally(int fd, struct tally_data *ta
|
|
|
a46dbe |
if (count >= MAX_RECORDS)
|
|
|
a46dbe |
break;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- while (chunk == CHUNK_SIZE);
|
|
|
a46dbe |
+ while (chunk == CHUNK_SIZE);
|
|
|
a46dbe |
|
|
|
a46dbe |
tallies->records = data;
|
|
|
a46dbe |
tallies->count = count;
|
|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml.faillock-update 2019-10-16 17:34:58.073276020 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.5.xml 2019-10-16 16:26:05.000000000 +0200
|
|
|
a46dbe |
@@ -0,0 +1,243 @@
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+<refentry id="faillock.conf">
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refmeta>
|
|
|
a46dbe |
+ <refentrytitle>faillock.conf</refentrytitle>
|
|
|
a46dbe |
+ <manvolnum>5</manvolnum>
|
|
|
a46dbe |
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
|
|
|
a46dbe |
+ </refmeta>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refnamediv id="faillock.conf-name">
|
|
|
a46dbe |
+ <refname>faillock.conf</refname>
|
|
|
a46dbe |
+ <refpurpose>pam_faillock configuration file</refpurpose>
|
|
|
a46dbe |
+ </refnamediv>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refsect1 id="faillock.conf-description">
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <title>DESCRIPTION</title>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ <emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the
|
|
|
a46dbe |
+ default settings for locking the user after multiple failed authentication attempts.
|
|
|
a46dbe |
+ This file is read by the <emphasis>pam_faillock</emphasis> module and is the
|
|
|
a46dbe |
+ preferred method over configuring <emphasis>pam_faillock</emphasis> directly.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ The file has a very simple <emphasis>name = value</emphasis> format with possible comments
|
|
|
a46dbe |
+ starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end
|
|
|
a46dbe |
+ of line, and around the <emphasis>=</emphasis> sign is ignored.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </refsect1>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refsect1 id="faillock.conf-options">
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <title>OPTIONS</title>
|
|
|
a46dbe |
+ <variablelist>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ The directory where the user files with the failure records are kept. The
|
|
|
a46dbe |
+ default is <filename>/var/run/faillock</filename>.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>audit</option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Will log the user name into the system log if the user is not found.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>silent</option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Don't print informative messages to the user. Please note that when
|
|
|
a46dbe |
+ this option is not used there will be difference in the authentication
|
|
|
a46dbe |
+ behavior for users which exist on the system and non-existing users.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>no_log_info</option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>local_users_only</option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Only track failed user authentications attempts for local users
|
|
|
a46dbe |
+ in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
|
|
|
a46dbe |
+ The <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
|
a46dbe |
+ command will also no longer track user failed
|
|
|
a46dbe |
+ authentication attempts. Enabling this option will prevent a
|
|
|
a46dbe |
+ double-lockout scenario where a user is locked out locally and
|
|
|
a46dbe |
+ in the centralized mechanism.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>deny=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Deny access if the number of consecutive authentication failures
|
|
|
a46dbe |
+ for this user during the recent interval exceeds
|
|
|
a46dbe |
+ <replaceable>n</replaceable>. The default is 3.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>fail_interval=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ The length of the interval during which the consecutive
|
|
|
a46dbe |
+ authentication failures must happen for the user account
|
|
|
a46dbe |
+ lock out is <replaceable>n</replaceable> seconds.
|
|
|
a46dbe |
+ The default is 900 (15 minutes).
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>unlock_time=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ The access will be reenabled after
|
|
|
a46dbe |
+ <replaceable>n</replaceable> seconds after the lock out.
|
|
|
a46dbe |
+ The value 0 has the same meaning as value
|
|
|
a46dbe |
+ <emphasis>never</emphasis> - the access
|
|
|
a46dbe |
+ will not be reenabled without resetting the faillock
|
|
|
a46dbe |
+ entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
|
|
|
a46dbe |
+ The default is 600 (10 minutes).
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Note that the default directory that <emphasis>pam_faillock</emphasis>
|
|
|
a46dbe |
+ uses is usually cleared on system boot so the access will be also reenabled
|
|
|
a46dbe |
+ after system reboot. If that is undesirable a different tally directory
|
|
|
a46dbe |
+ must be set with the <option>dir</option> option.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Also note that it is usually undesirable to permanently lock
|
|
|
a46dbe |
+ out the users as they can become easily a target of denial of service
|
|
|
a46dbe |
+ attack unless the usernames are random and kept secret to potential
|
|
|
a46dbe |
+ attackers.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>even_deny_root</option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ Root account can become locked as well as regular accounts.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>root_unlock_time=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ This option implies <option>even_deny_root</option> option.
|
|
|
a46dbe |
+ Allow access after <replaceable>n</replaceable> seconds
|
|
|
a46dbe |
+ to root account after the account is locked. In case the
|
|
|
a46dbe |
+ option is not specified the value is the same as of the
|
|
|
a46dbe |
+ <option>unlock_time</option> option.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term>
|
|
|
a46dbe |
+ <option>admin_group=<replaceable>name</replaceable></option>
|
|
|
a46dbe |
+ </term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ If a group name is specified with this option, members
|
|
|
a46dbe |
+ of the group will be handled by this module the same as
|
|
|
a46dbe |
+ the root account (the options <option>even_deny_root</option>
|
|
|
a46dbe |
+ and <option>root_unlock_time</option> will apply to them.
|
|
|
a46dbe |
+ By default the option is not set.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ </variablelist>
|
|
|
a46dbe |
+ </refsect1>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refsect1 id='faillock.conf-examples'>
|
|
|
a46dbe |
+ <title>EXAMPLES</title>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ /etc/security/faillock.conf file example:
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ <programlisting>
|
|
|
a46dbe |
+deny=4
|
|
|
a46dbe |
+unlock_time=1200
|
|
|
a46dbe |
+silent
|
|
|
a46dbe |
+ </programlisting>
|
|
|
a46dbe |
+ </refsect1>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refsect1 id="faillock.conf-files">
|
|
|
a46dbe |
+ <title>FILES</title>
|
|
|
a46dbe |
+ <variablelist>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term><filename>/etc/security/faillock.conf</filename></term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>the config file for custom options</para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
+ </variablelist>
|
|
|
a46dbe |
+ </refsect1>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refsect1 id='faillock.conf-see_also'>
|
|
|
a46dbe |
+ <title>SEE ALSO</title>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ <citerefentry>
|
|
|
a46dbe |
+ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
|
|
|
a46dbe |
+ </citerefentry>,
|
|
|
a46dbe |
+ <citerefentry>
|
|
|
a46dbe |
+ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
|
|
|
a46dbe |
+ </citerefentry>,
|
|
|
a46dbe |
+ <citerefentry>
|
|
|
a46dbe |
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
|
a46dbe |
+ </citerefentry>,
|
|
|
a46dbe |
+ <citerefentry>
|
|
|
a46dbe |
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
|
|
|
a46dbe |
+ </citerefentry>,
|
|
|
a46dbe |
+ <citerefentry>
|
|
|
a46dbe |
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
|
|
|
a46dbe |
+ </citerefentry>
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </refsect1>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ <refsect1 id='faillock.conf-author'>
|
|
|
a46dbe |
+ <title>AUTHOR</title>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ </refsect1>
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+</refentry>
|
|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf.faillock-update 2019-10-16 17:34:50.607405060 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.conf 2019-10-16 16:26:05.000000000 +0200
|
|
|
a46dbe |
@@ -0,0 +1,62 @@
|
|
|
a46dbe |
+# Configuration for locking the user after multiple failed
|
|
|
a46dbe |
+# authentication attempts.
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# The directory where the user files with the failure records are kept.
|
|
|
a46dbe |
+# The default is /var/run/faillock.
|
|
|
a46dbe |
+# dir = /var/run/faillock
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# Will log the user name into the system log if the user is not found.
|
|
|
a46dbe |
+# Enabled if option is present.
|
|
|
a46dbe |
+# audit
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# Don't print informative messages.
|
|
|
a46dbe |
+# Enabled if option is present.
|
|
|
a46dbe |
+# silent
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# Don't log informative messages via syslog.
|
|
|
a46dbe |
+# Enabled if option is present.
|
|
|
a46dbe |
+# no_log_info
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# Only track failed user authentications attempts for local users
|
|
|
a46dbe |
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
|
|
|
a46dbe |
+# The `faillock` command will also no longer track user failed
|
|
|
a46dbe |
+# authentication attempts. Enabling this option will prevent a
|
|
|
a46dbe |
+# double-lockout scenario where a user is locked out locally and
|
|
|
a46dbe |
+# in the centralized mechanism.
|
|
|
a46dbe |
+# Enabled if option is present.
|
|
|
a46dbe |
+# local_users_only
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# Deny access if the number of consecutive authentication failures
|
|
|
a46dbe |
+# for this user during the recent interval exceeds n tries.
|
|
|
a46dbe |
+# The default is 3.
|
|
|
a46dbe |
+# deny = 3
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# The length of the interval during which the consecutive
|
|
|
a46dbe |
+# authentication failures must happen for the user account
|
|
|
a46dbe |
+# lock out is <replaceable>n</replaceable> seconds.
|
|
|
a46dbe |
+# The default is 900 (15 minutes).
|
|
|
a46dbe |
+# fail_interval = 900
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# The access will be reenabled after n seconds after the lock out.
|
|
|
a46dbe |
+# The value 0 has the same meaning as value `never` - the access
|
|
|
a46dbe |
+# will not be reenabled without resetting the faillock
|
|
|
a46dbe |
+# entries by the `faillock` command.
|
|
|
a46dbe |
+# The default is 600 (10 minutes).
|
|
|
a46dbe |
+# unlock_time = 600
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# Root account can become locked as well as regular accounts.
|
|
|
a46dbe |
+# Enabled if option is present.
|
|
|
a46dbe |
+# even_deny_root
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# This option implies the `even_deny_root` option.
|
|
|
a46dbe |
+# Allow access after n seconds to root account after the
|
|
|
a46dbe |
+# account is locked. In case the option is not specified
|
|
|
a46dbe |
+# the value is the same as of the `unlock_time` option.
|
|
|
a46dbe |
+# root_unlock_time = 900
|
|
|
a46dbe |
+#
|
|
|
a46dbe |
+# If a group name is specified with this option, members
|
|
|
a46dbe |
+# of the group will be handled by this module the same as
|
|
|
a46dbe |
+# the root account (the options `even_deny_root>` and
|
|
|
a46dbe |
+# `root_unlock_time` will apply to them.
|
|
|
a46dbe |
+# By default, the option is not set.
|
|
|
a46dbe |
+# admin_group = <admin_group_name>
|
|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/faillock.h.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/faillock.h
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/faillock.h.faillock-update 2019-10-16 16:49:27.026893768 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/faillock.h 2019-10-16 16:51:40.431628566 +0200
|
|
|
a46dbe |
@@ -65,6 +65,7 @@ struct tally_data {
|
|
|
a46dbe |
};
|
|
|
a46dbe |
|
|
|
a46dbe |
#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
|
|
|
a46dbe |
+#define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"
|
|
|
a46dbe |
|
|
|
a46dbe |
int open_tally(const char *dir, const char *user, uid_t uid, int create);
|
|
|
a46dbe |
int read_tally(int fd, struct tally_data *tallies);
|
|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am.faillock-update 2019-10-16 16:49:27.026893768 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/Makefile.am 2019-10-16 16:50:15.065078080 +0200
|
|
|
a46dbe |
@@ -1,6 +1,6 @@
|
|
|
a46dbe |
#
|
|
|
a46dbe |
# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
|
|
|
a46dbe |
-# Copyright (c) 2008 Red Hat, Inc.
|
|
|
a46dbe |
+# Copyright (c) 2008, 2018 Red Hat, Inc.
|
|
|
a46dbe |
# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
|
|
a46dbe |
#
|
|
|
a46dbe |
|
|
|
a46dbe |
@@ -9,8 +9,8 @@ MAINTAINERCLEANFILES = $(MANS) README
|
|
|
a46dbe |
|
|
|
a46dbe |
EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock
|
|
|
a46dbe |
|
|
|
a46dbe |
-man_MANS = pam_faillock.8 faillock.8
|
|
|
a46dbe |
-XMLS = README.xml pam_faillock.8.xml faillock.8.xml
|
|
|
a46dbe |
+man_MANS = pam_faillock.8 faillock.8 faillock.conf.5
|
|
|
a46dbe |
+XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.5.xml
|
|
|
a46dbe |
|
|
|
a46dbe |
TESTS = tst-pam_faillock
|
|
|
a46dbe |
|
|
|
a46dbe |
@@ -31,6 +31,8 @@ endif
|
|
|
a46dbe |
faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
|
|
|
a46dbe |
faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
|
|
|
a46dbe |
|
|
|
a46dbe |
+secureconf_DATA = faillock.conf
|
|
|
a46dbe |
+
|
|
|
a46dbe |
securelib_LTLIBRARIES = pam_faillock.la
|
|
|
a46dbe |
sbin_PROGRAMS = faillock
|
|
|
a46dbe |
|
|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml.faillock-update 2019-10-16 16:49:27.030893701 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.8.xml 2019-10-16 16:53:39.544606052 +0200
|
|
|
a46dbe |
@@ -126,141 +126,13 @@
|
|
|
a46dbe |
</para>
|
|
|
a46dbe |
</listitem>
|
|
|
a46dbe |
</varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- The directory where the user files with the failure records are kept. The
|
|
|
a46dbe |
- default is <filename>/var/run/faillock</filename>.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>audit</option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Will log the user name into the system log if the user is not found.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>silent</option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Don't print informative messages. This option is implicite
|
|
|
a46dbe |
- in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>
|
|
|
a46dbe |
- functions.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>no_log_info</option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>deny=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Deny access if the number of consecutive authentication failures
|
|
|
a46dbe |
- for this user during the recent interval exceeds
|
|
|
a46dbe |
- <replaceable>n</replaceable>. The default is 3.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>fail_interval=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- The length of the interval during which the consecutive
|
|
|
a46dbe |
- authentication failures must happen for the user account
|
|
|
a46dbe |
- lock out is <replaceable>n</replaceable> seconds.
|
|
|
a46dbe |
- The default is 900 (15 minutes).
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>unlock_time=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- The access will be reenabled after
|
|
|
a46dbe |
- <replaceable>n</replaceable> seconds after the lock out.
|
|
|
a46dbe |
- The value 0 has the same meaning as value
|
|
|
a46dbe |
- <emphasis>never</emphasis> - the access
|
|
|
a46dbe |
- will not be reenabled without resetting the faillock
|
|
|
a46dbe |
- entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.
|
|
|
a46dbe |
- The default is 600 (10 minutes).
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Note that the default directory that <emphasis>pam_faillock</emphasis>
|
|
|
a46dbe |
- uses is usually cleared on system boot so the access will be also reenabled
|
|
|
a46dbe |
- after system reboot. If that is undesirable a different tally directory
|
|
|
a46dbe |
- must be set with the <option>dir</option> option.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Also note that it is usually undesirable to permanently lock
|
|
|
a46dbe |
- out the users as they can become easily a target of denial of service
|
|
|
a46dbe |
- attack unless the usernames are random and kept secret to potential
|
|
|
a46dbe |
- attackers.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>even_deny_root</option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- Root account can become locked as well as regular accounts.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>root_unlock_time=<replaceable>n</replaceable></option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- This option implies <option>even_deny_root</option> option.
|
|
|
a46dbe |
- Allow access after <replaceable>n</replaceable> seconds
|
|
|
a46dbe |
- to root account after the account is locked. In case the
|
|
|
a46dbe |
- option is not specified the value is the same as of the
|
|
|
a46dbe |
- <option>unlock_time</option> option.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
- <varlistentry>
|
|
|
a46dbe |
- <term>
|
|
|
a46dbe |
- <option>admin_group=<replaceable>name</replaceable></option>
|
|
|
a46dbe |
- </term>
|
|
|
a46dbe |
- <listitem>
|
|
|
a46dbe |
- <para>
|
|
|
a46dbe |
- If a group name is specified with this option, members
|
|
|
a46dbe |
- of the group will be handled by this module the same as
|
|
|
a46dbe |
- the root account (the options <option>even_deny_root></option>
|
|
|
a46dbe |
- and <option>root_unlock_time</option> will apply to them.
|
|
|
a46dbe |
- By default the option is not set.
|
|
|
a46dbe |
- </para>
|
|
|
a46dbe |
- </listitem>
|
|
|
a46dbe |
- </varlistentry>
|
|
|
a46dbe |
</variablelist>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ The options for configuring the module behavior are described in the
|
|
|
a46dbe |
+ <citerefentry><refentrytitle>faillock.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
|
a46dbe |
+ </citerefentry> manual page. The options specified on the module command
|
|
|
a46dbe |
+ line override the values from the configuration file.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
</refsect1>
|
|
|
a46dbe |
|
|
|
a46dbe |
<refsect1 id="pam_faillock-types">
|
|
|
a46dbe |
@@ -306,19 +178,23 @@
|
|
|
a46dbe |
<refsect1 id='pam_faillock-notes'>
|
|
|
a46dbe |
<title>NOTES</title>
|
|
|
a46dbe |
<para>
|
|
|
a46dbe |
- <emphasis>pam_faillock</emphasis> setup in the PAM stack is different
|
|
|
a46dbe |
+ Configuring options on the module command line is not recommend. The
|
|
|
a46dbe |
+ <emphasis>/etc/security/faillock.conf</emphasis> should be used instead.
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ The setup of <emphasis>pam_faillock</emphasis> in the PAM stack is different
|
|
|
a46dbe |
from the <emphasis>pam_tally2</emphasis> module setup.
|
|
|
a46dbe |
</para>
|
|
|
a46dbe |
<para>
|
|
|
a46dbe |
- The individual files with the failure records are created as owned by
|
|
|
a46dbe |
+ Individual files with the failure records are created as owned by
|
|
|
a46dbe |
the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
|
|
|
a46dbe |
to work correctly when it is called from a screensaver.
|
|
|
a46dbe |
</para>
|
|
|
a46dbe |
<para>
|
|
|
a46dbe |
Note that using the module in <option>preauth</option> without the
|
|
|
a46dbe |
- <option>silent</option> option or with <emphasis>requisite</emphasis>
|
|
|
a46dbe |
- control field leaks an information about existence or
|
|
|
a46dbe |
- non-existence of an user account in the system because
|
|
|
a46dbe |
+ <option>silent</option> option specified in <filename>/etc/security/faillock.conf</filename>
|
|
|
a46dbe |
+ or with <emphasis>requisite</emphasis> control field leaks an information about
|
|
|
a46dbe |
+ existence or non-existence of an user account in the system because
|
|
|
a46dbe |
the failures are not recorded for the unknown users. The message
|
|
|
a46dbe |
about the user account being locked is never displayed for nonexisting
|
|
|
a46dbe |
user accounts allowing the adversary to infer that a particular account
|
|
|
a46dbe |
@@ -341,15 +217,26 @@
|
|
|
a46dbe |
be added to tell the user that his login is blocked by the module and also to abort
|
|
|
a46dbe |
the authentication without even asking for password in such case.
|
|
|
a46dbe |
</para>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ /etc/security/faillock.conf file example:
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
+ <programlisting>
|
|
|
a46dbe |
+deny=4
|
|
|
a46dbe |
+unlock_time=1200
|
|
|
a46dbe |
+silent
|
|
|
a46dbe |
+ </programlisting>
|
|
|
a46dbe |
+ <para>
|
|
|
a46dbe |
+ /etc/pam.d/config file example:
|
|
|
a46dbe |
+ </para>
|
|
|
a46dbe |
<programlisting>
|
|
|
a46dbe |
auth required pam_securetty.so
|
|
|
a46dbe |
auth required pam_env.so
|
|
|
a46dbe |
auth required pam_nologin.so
|
|
|
a46dbe |
-# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
|
|
|
a46dbe |
+# optionally call: auth requisite pam_faillock.so preauth
|
|
|
a46dbe |
# to display the message about account being locked
|
|
|
a46dbe |
auth [success=1 default=bad] pam_unix.so
|
|
|
a46dbe |
-auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
|
|
|
a46dbe |
-auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
|
|
|
a46dbe |
+auth [default=die] pam_faillock.so authfail
|
|
|
a46dbe |
+auth sufficient pam_faillock.so authsucc
|
|
|
a46dbe |
auth required pam_deny.so
|
|
|
a46dbe |
account required pam_unix.so
|
|
|
a46dbe |
password required pam_unix.so shadow
|
|
|
a46dbe |
@@ -361,17 +248,18 @@ session required pam_selinux.so o
|
|
|
a46dbe |
<para>
|
|
|
a46dbe |
In the second example the module is called both in the <emphasis>auth</emphasis>
|
|
|
a46dbe |
and <emphasis>account</emphasis> phases and the module gives the authenticating
|
|
|
a46dbe |
- user message when the account is locked
|
|
|
a46dbe |
+ user message when the account is locked if <option>silent</option> option is not
|
|
|
a46dbe |
+ specified in the <filename>faillock.conf</filename>.
|
|
|
a46dbe |
</para>
|
|
|
a46dbe |
<programlisting>
|
|
|
a46dbe |
auth required pam_securetty.so
|
|
|
a46dbe |
auth required pam_env.so
|
|
|
a46dbe |
auth required pam_nologin.so
|
|
|
a46dbe |
-auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200
|
|
|
a46dbe |
+auth required pam_faillock.so preauth
|
|
|
a46dbe |
# optionally use requisite above if you do not want to prompt for the password
|
|
|
a46dbe |
-# on locked accounts, possibly with removing the silent option as well
|
|
|
a46dbe |
+# on locked accounts
|
|
|
a46dbe |
auth sufficient pam_unix.so
|
|
|
a46dbe |
-auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
|
|
|
a46dbe |
+auth [default=die] pam_faillock.so authfail
|
|
|
a46dbe |
auth required pam_deny.so
|
|
|
a46dbe |
account required pam_faillock.so
|
|
|
a46dbe |
# if you drop the above call to pam_faillock.so the lock will be done also
|
|
|
a46dbe |
@@ -394,6 +282,12 @@ session required pam_selinux.so o
|
|
|
a46dbe |
<para>the files logging the authentication failures for users</para>
|
|
|
a46dbe |
</listitem>
|
|
|
a46dbe |
</varlistentry>
|
|
|
a46dbe |
+ <varlistentry>
|
|
|
a46dbe |
+ <term><filename>/etc/security/faillock.conf</filename></term>
|
|
|
a46dbe |
+ <listitem>
|
|
|
a46dbe |
+ <para>the config file for pam_faillock options</para>
|
|
|
a46dbe |
+ </listitem>
|
|
|
a46dbe |
+ </varlistentry>
|
|
|
a46dbe |
</variablelist>
|
|
|
a46dbe |
</refsect1>
|
|
|
a46dbe |
|
|
|
a46dbe |
@@ -404,6 +298,9 @@ session required pam_selinux.so o
|
|
|
a46dbe |
<refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
|
|
|
a46dbe |
</citerefentry>,
|
|
|
a46dbe |
<citerefentry>
|
|
|
a46dbe |
+ <refentrytitle>faillock.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
|
a46dbe |
+ </citerefentry>,
|
|
|
a46dbe |
+ <citerefentry>
|
|
|
a46dbe |
<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
|
a46dbe |
</citerefentry>,
|
|
|
a46dbe |
<citerefentry>
|
|
|
a46dbe |
diff -up Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.faillock-update Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c
|
|
|
a46dbe |
--- Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c.faillock-update 2019-10-16 16:49:27.030893701 +0200
|
|
|
a46dbe |
+++ Linux-PAM-1.3.1/modules/pam_faillock/pam_faillock.c 2019-12-16 17:55:11.403270018 +0100
|
|
|
a46dbe |
@@ -1,5 +1,6 @@
|
|
|
a46dbe |
/*
|
|
|
a46dbe |
- * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
|
|
|
a46dbe |
+ * Copyright (c) 2010, 2017, 2019 Tomas Mraz <tmraz@redhat.com>
|
|
|
a46dbe |
+ * Copyright (c) 2010, 2017, 2019 Red Hat, Inc.
|
|
|
a46dbe |
*
|
|
|
a46dbe |
* Redistribution and use in source and binary forms, with or without
|
|
|
a46dbe |
* modification, are permitted provided that the following conditions
|
|
|
a46dbe |
@@ -43,6 +44,7 @@
|
|
|
a46dbe |
#include <time.h>
|
|
|
a46dbe |
#include <pwd.h>
|
|
|
a46dbe |
#include <syslog.h>
|
|
|
a46dbe |
+#include <ctype.h>
|
|
|
a46dbe |
|
|
|
a46dbe |
#ifdef HAVE_LIBAUDIT
|
|
|
a46dbe |
#include <libaudit.h>
|
|
|
a46dbe |
@@ -66,8 +68,14 @@
|
|
|
a46dbe |
#define FAILLOCK_FLAG_SILENT 0x4
|
|
|
a46dbe |
#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
|
|
|
a46dbe |
#define FAILLOCK_FLAG_UNLOCKED 0x10
|
|
|
a46dbe |
+#define FAILLOCK_FLAG_LOCAL_ONLY 0x20
|
|
|
a46dbe |
|
|
|
a46dbe |
#define MAX_TIME_INTERVAL 604800 /* 7 days */
|
|
|
a46dbe |
+#define FAILLOCK_CONF_MAX_LINELEN 1023
|
|
|
a46dbe |
+#define FAILLOCK_ERROR_CONF_OPEN -3
|
|
|
a46dbe |
+#define FAILLOCK_ERROR_CONF_MALFORMED -4
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+#define PATH_PASSWD "/etc/passwd"
|
|
|
a46dbe |
|
|
|
a46dbe |
struct options {
|
|
|
a46dbe |
unsigned int action;
|
|
|
a46dbe |
@@ -76,117 +84,295 @@ struct options {
|
|
|
a46dbe |
unsigned int fail_interval;
|
|
|
a46dbe |
unsigned int unlock_time;
|
|
|
a46dbe |
unsigned int root_unlock_time;
|
|
|
a46dbe |
- const char *dir;
|
|
|
a46dbe |
+ char *dir;
|
|
|
a46dbe |
+ const char *conf;
|
|
|
a46dbe |
const char *user;
|
|
|
a46dbe |
- const char *admin_group;
|
|
|
a46dbe |
+ char *admin_group;
|
|
|
a46dbe |
int failures;
|
|
|
a46dbe |
uint64_t latest_time;
|
|
|
a46dbe |
uid_t uid;
|
|
|
a46dbe |
int is_admin;
|
|
|
a46dbe |
uint64_t now;
|
|
|
a46dbe |
+ int fatal_error;
|
|
|
a46dbe |
};
|
|
|
a46dbe |
|
|
|
a46dbe |
+int read_config_file(
|
|
|
a46dbe |
+ pam_handle_t *pamh,
|
|
|
a46dbe |
+ struct options *opts,
|
|
|
a46dbe |
+ const char *cfgfile
|
|
|
a46dbe |
+);
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+void set_conf_opt(
|
|
|
a46dbe |
+ pam_handle_t *pamh,
|
|
|
a46dbe |
+ struct options *opts,
|
|
|
a46dbe |
+ const char *name,
|
|
|
a46dbe |
+ const char *value
|
|
|
a46dbe |
+);
|
|
|
a46dbe |
+
|
|
|
a46dbe |
static void
|
|
|
a46dbe |
args_parse(pam_handle_t *pamh, int argc, const char **argv,
|
|
|
a46dbe |
int flags, struct options *opts)
|
|
|
a46dbe |
{
|
|
|
a46dbe |
int i;
|
|
|
a46dbe |
+ int rv;
|
|
|
a46dbe |
memset(opts, 0, sizeof(*opts));
|
|
|
a46dbe |
|
|
|
a46dbe |
- opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
|
|
|
a46dbe |
+ opts->dir = strdup(FAILLOCK_DEFAULT_TALLYDIR);
|
|
|
a46dbe |
+ opts->conf = FAILLOCK_DEFAULT_CONF;
|
|
|
a46dbe |
opts->deny = 3;
|
|
|
a46dbe |
opts->fail_interval = 900;
|
|
|
a46dbe |
opts->unlock_time = 600;
|
|
|
a46dbe |
opts->root_unlock_time = MAX_TIME_INTERVAL+1;
|
|
|
a46dbe |
|
|
|
a46dbe |
- for (i = 0; i < argc; ++i) {
|
|
|
a46dbe |
+ if ((rv=read_config_file(pamh, opts, opts->conf)) != PAM_SUCCESS) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_DEBUG,
|
|
|
a46dbe |
+ "Configuration file missing");
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
|
|
|
a46dbe |
- if (strncmp(argv[i], "dir=", 4) == 0) {
|
|
|
a46dbe |
- if (argv[i][4] != '/') {
|
|
|
a46dbe |
- pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
- "Tally directory is not absolute path (%s); keeping default", argv[i]);
|
|
|
a46dbe |
- } else {
|
|
|
a46dbe |
- opts->dir = argv[i]+4;
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- else if (strncmp(argv[i], "deny=", 5) == 0) {
|
|
|
a46dbe |
- if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) {
|
|
|
a46dbe |
- pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
- "Bad number supplied for deny argument");
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- else if (strncmp(argv[i], "fail_interval=", 14) == 0) {
|
|
|
a46dbe |
- unsigned int temp;
|
|
|
a46dbe |
- if (sscanf(argv[i]+14, "%u", &temp) != 1 ||
|
|
|
a46dbe |
- temp > MAX_TIME_INTERVAL) {
|
|
|
a46dbe |
- pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
- "Bad number supplied for fail_interval argument");
|
|
|
a46dbe |
- } else {
|
|
|
a46dbe |
- opts->fail_interval = temp;
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
+ for (i = 0; i < argc; ++i) {
|
|
|
a46dbe |
+ if (strcmp(argv[i], "preauth") == 0) {
|
|
|
a46dbe |
+ opts->action = FAILLOCK_ACTION_PREAUTH;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(argv[i], "authfail") == 0) {
|
|
|
a46dbe |
+ opts->action = FAILLOCK_ACTION_AUTHFAIL;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(argv[i], "authsucc") == 0) {
|
|
|
a46dbe |
+ opts->action = FAILLOCK_ACTION_AUTHSUCC;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
|
|
|
a46dbe |
- unsigned int temp;
|
|
|
a46dbe |
+ else {
|
|
|
a46dbe |
+ char buf[FAILLOCK_CONF_MAX_LINELEN + 1];
|
|
|
a46dbe |
+ char *val;
|
|
|
a46dbe |
|
|
|
a46dbe |
- if (strcmp(argv[i]+12, "never") == 0) {
|
|
|
a46dbe |
- opts->unlock_time = 0;
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
|
|
|
a46dbe |
- temp > MAX_TIME_INTERVAL) {
|
|
|
a46dbe |
- pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
- "Bad number supplied for unlock_time argument");
|
|
|
a46dbe |
+ strncpy(buf, argv[i], sizeof(buf) - 1);
|
|
|
a46dbe |
+ buf[sizeof(buf) - 1] = '\0';
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ val = strchr(buf, '=');
|
|
|
a46dbe |
+ if (val != NULL) {
|
|
|
a46dbe |
+ *val = '\0';
|
|
|
a46dbe |
+ ++val;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
else {
|
|
|
a46dbe |
- opts->unlock_time = temp;
|
|
|
a46dbe |
+ val = buf + sizeof(buf) - 1;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
+ set_conf_opt(pamh, opts, buf, val);
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
|
|
|
a46dbe |
- unsigned int temp;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
|
|
|
a46dbe |
- if (strcmp(argv[i]+17, "never") == 0) {
|
|
|
a46dbe |
- opts->root_unlock_time = 0;
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
|
|
|
a46dbe |
- temp > MAX_TIME_INTERVAL) {
|
|
|
a46dbe |
- pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
- "Bad number supplied for root_unlock_time argument");
|
|
|
a46dbe |
+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
|
|
|
a46dbe |
+ opts->root_unlock_time = opts->unlock_time;
|
|
|
a46dbe |
+ if (flags & PAM_SILENT)
|
|
|
a46dbe |
+ opts->flags |= FAILLOCK_FLAG_SILENT;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ if (opts->dir == NULL) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
|
|
|
a46dbe |
+ opts->fatal_error = 1;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+}
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+/* parse a single configuration file */
|
|
|
a46dbe |
+int
|
|
|
a46dbe |
+read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)
|
|
|
a46dbe |
+{
|
|
|
a46dbe |
+ FILE *f;
|
|
|
a46dbe |
+ char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ f = fopen(cfgfile, "r");
|
|
|
a46dbe |
+ if (f == NULL) {
|
|
|
a46dbe |
+ /* ignore non-existent default config file */
|
|
|
a46dbe |
+ if (errno == ENOENT && strcmp(cfgfile, FAILLOCK_DEFAULT_CONF) == 0)
|
|
|
a46dbe |
+ return 0;
|
|
|
a46dbe |
+ return FAILLOCK_ERROR_CONF_OPEN;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ while (fgets(linebuf, sizeof(linebuf), f) != NULL) {
|
|
|
a46dbe |
+ size_t len;
|
|
|
a46dbe |
+ char *ptr;
|
|
|
a46dbe |
+ char *name;
|
|
|
a46dbe |
+ int eq;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ len = strlen(linebuf);
|
|
|
a46dbe |
+ /* len cannot be 0 unless there is a bug in fgets */
|
|
|
a46dbe |
+ if (len && linebuf[len - 1] != '\n' && !feof(f)) {
|
|
|
a46dbe |
+ (void) fclose(f);
|
|
|
a46dbe |
+ return FAILLOCK_ERROR_CONF_MALFORMED;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ if ((ptr=strchr(linebuf, '#')) != NULL) {
|
|
|
a46dbe |
+ *ptr = '\0';
|
|
|
a46dbe |
+ } else {
|
|
|
a46dbe |
+ ptr = linebuf + len;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ /* drop terminating whitespace including the \n */
|
|
|
a46dbe |
+ while (ptr > linebuf) {
|
|
|
a46dbe |
+ if (!isspace(*(ptr-1))) {
|
|
|
a46dbe |
+ *ptr = '\0';
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ --ptr;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ /* skip initial whitespace */
|
|
|
a46dbe |
+ for (ptr = linebuf; isspace(*ptr); ptr++);
|
|
|
a46dbe |
+ if (*ptr == '\0')
|
|
|
a46dbe |
+ continue;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ /* grab the key name */
|
|
|
a46dbe |
+ eq = 0;
|
|
|
a46dbe |
+ name = ptr;
|
|
|
a46dbe |
+ while (*ptr != '\0') {
|
|
|
a46dbe |
+ if (isspace(*ptr) || *ptr == '=') {
|
|
|
a46dbe |
+ eq = *ptr == '=';
|
|
|
a46dbe |
+ *ptr = '\0';
|
|
|
a46dbe |
+ ++ptr;
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ ++ptr;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ /* grab the key value */
|
|
|
a46dbe |
+ while (*ptr != '\0') {
|
|
|
a46dbe |
+ if (*ptr != '=' || eq) {
|
|
|
a46dbe |
+ if (!isspace(*ptr)) {
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
} else {
|
|
|
a46dbe |
- opts->root_unlock_time = temp;
|
|
|
a46dbe |
+ eq = 1;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
+ ++ptr;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strncmp(argv[i], "admin_group=", 12) == 0) {
|
|
|
a46dbe |
- opts->admin_group = argv[i] + 12;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ /* set the key:value pair on opts */
|
|
|
a46dbe |
+ set_conf_opt(pamh, opts, name, ptr);
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ (void)fclose(f);
|
|
|
a46dbe |
+ return PAM_SUCCESS;
|
|
|
a46dbe |
+}
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value)
|
|
|
a46dbe |
+{
|
|
|
a46dbe |
+ if (strcmp(name, "dir") == 0) {
|
|
|
a46dbe |
+ if (value[0] != '/') {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
+ "Tally directory is not absolute path (%s); keeping default", value);
|
|
|
a46dbe |
+ } else {
|
|
|
a46dbe |
+ free(opts->dir);
|
|
|
a46dbe |
+ opts->dir = strdup(value);
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "preauth") == 0) {
|
|
|
a46dbe |
- opts->action = FAILLOCK_ACTION_PREAUTH;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "deny") == 0) {
|
|
|
a46dbe |
+ if (sscanf(value, "%hu", &opts->deny) != 1) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
+ "Bad number supplied for deny argument");
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "fail_interval") == 0) {
|
|
|
a46dbe |
+ unsigned int temp;
|
|
|
a46dbe |
+ if (sscanf(value, "%u", &temp) != 1 ||
|
|
|
a46dbe |
+ temp > MAX_TIME_INTERVAL) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
+ "Bad number supplied for fail_interval argument");
|
|
|
a46dbe |
+ } else {
|
|
|
a46dbe |
+ opts->fail_interval = temp;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "authfail") == 0) {
|
|
|
a46dbe |
- opts->action = FAILLOCK_ACTION_AUTHFAIL;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "unlock_time") == 0) {
|
|
|
a46dbe |
+ unsigned int temp;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ if (strcmp(value, "never") == 0) {
|
|
|
a46dbe |
+ opts->unlock_time = 0;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "authsucc") == 0) {
|
|
|
a46dbe |
- opts->action = FAILLOCK_ACTION_AUTHSUCC;
|
|
|
a46dbe |
+ else if (sscanf(value, "%u", &temp) != 1 ||
|
|
|
a46dbe |
+ temp > MAX_TIME_INTERVAL) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
+ "Bad number supplied for unlock_time argument");
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "even_deny_root") == 0) {
|
|
|
a46dbe |
- opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
|
|
|
a46dbe |
+ else {
|
|
|
a46dbe |
+ opts->unlock_time = temp;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "audit") == 0) {
|
|
|
a46dbe |
- opts->flags |= FAILLOCK_FLAG_AUDIT;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "root_unlock_time") == 0) {
|
|
|
a46dbe |
+ unsigned int temp;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ if (strcmp(value, "never") == 0) {
|
|
|
a46dbe |
+ opts->root_unlock_time = 0;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "silent") == 0) {
|
|
|
a46dbe |
- opts->flags |= FAILLOCK_FLAG_SILENT;
|
|
|
a46dbe |
+ else if (sscanf(value, "%u", &temp) != 1 ||
|
|
|
a46dbe |
+ temp > MAX_TIME_INTERVAL) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR,
|
|
|
a46dbe |
+ "Bad number supplied for root_unlock_time argument");
|
|
|
a46dbe |
+ } else {
|
|
|
a46dbe |
+ opts->root_unlock_time = temp;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else if (strcmp(argv[i], "no_log_info") == 0) {
|
|
|
a46dbe |
- opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "admin_group") == 0) {
|
|
|
a46dbe |
+ free(opts->admin_group);
|
|
|
a46dbe |
+ opts->admin_group = strdup(value);
|
|
|
a46dbe |
+ if (opts->admin_group == NULL) {
|
|
|
a46dbe |
+ opts->fatal_error = 1;
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory: %m");
|
|
|
a46dbe |
}
|
|
|
a46dbe |
- else {
|
|
|
a46dbe |
- pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]);
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "even_deny_root") == 0) {
|
|
|
a46dbe |
+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "audit") == 0) {
|
|
|
a46dbe |
+ opts->flags |= FAILLOCK_FLAG_AUDIT;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "silent") == 0) {
|
|
|
a46dbe |
+ opts->flags |= FAILLOCK_FLAG_SILENT;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "no_log_info") == 0) {
|
|
|
a46dbe |
+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else if (strcmp(name, "local_users_only") == 0) {
|
|
|
a46dbe |
+ opts->flags |= FAILLOCK_FLAG_LOCAL_ONLY;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ else {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name);
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+}
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+static int check_local_user (pam_handle_t *pamh, const char *user)
|
|
|
a46dbe |
+{
|
|
|
a46dbe |
+ struct passwd pw, *pwp;
|
|
|
a46dbe |
+ char buf[4096];
|
|
|
a46dbe |
+ int found = 0;
|
|
|
a46dbe |
+ FILE *fp;
|
|
|
a46dbe |
+ int errn;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ fp = fopen(PATH_PASSWD, "r");
|
|
|
a46dbe |
+ if (fp == NULL) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR, "unable to open %s: %m",
|
|
|
a46dbe |
+ PATH_PASSWD);
|
|
|
a46dbe |
+ return -1;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ for (;;) {
|
|
|
a46dbe |
+ errn = fgetpwent_r(fp, &pw, buf, sizeof (buf), &pwp);
|
|
|
a46dbe |
+ if (errn == ERANGE) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_WARNING, "%s contains very long lines; corrupted?",
|
|
|
a46dbe |
+ PATH_PASSWD);
|
|
|
a46dbe |
+ /* we can continue here as next call will read further */
|
|
|
a46dbe |
+ continue;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ if (errn != 0)
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+ if (strcmp(pwp->pw_name, user) == 0) {
|
|
|
a46dbe |
+ found = 1;
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
- if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
|
|
|
a46dbe |
- opts->root_unlock_time = opts->unlock_time;
|
|
|
a46dbe |
- if (flags & PAM_SILENT)
|
|
|
a46dbe |
- opts->flags |= FAILLOCK_FLAG_SILENT;
|
|
|
a46dbe |
+ fclose (fp);
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ if (errn != 0 && errn != ENOENT) {
|
|
|
a46dbe |
+ pam_syslog(pamh, LOG_ERR, "unable to enumerate local accounts: %m");
|
|
|
a46dbe |
+ return -1;
|
|
|
a46dbe |
+ } else {
|
|
|
a46dbe |
+ return found;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
static int get_pam_user(pam_handle_t *pamh, struct options *opts)
|
|
|
a46dbe |
@@ -393,7 +579,7 @@ write_tally(pam_handle_t *pamh, struct o
|
|
|
a46dbe |
|
|
|
a46dbe |
strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source));
|
|
|
a46dbe |
/* source does not have to be null terminated */
|
|
|
a46dbe |
-
|
|
|
a46dbe |
+
|
|
|
a46dbe |
tallies->records[oldest].time = opts->now;
|
|
|
a46dbe |
|
|
|
a46dbe |
++failures;
|
|
|
a46dbe |
@@ -468,6 +654,13 @@ tally_cleanup(struct tally_data *tallies
|
|
|
a46dbe |
free(tallies->records);
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
+static void
|
|
|
a46dbe |
+opts_cleanup(struct options *opts)
|
|
|
a46dbe |
+{
|
|
|
a46dbe |
+ free(opts->dir);
|
|
|
a46dbe |
+ free(opts->admin_group);
|
|
|
a46dbe |
+}
|
|
|
a46dbe |
+
|
|
|
a46dbe |
/*---------------------------------------------------------------------*/
|
|
|
a46dbe |
|
|
|
a46dbe |
PAM_EXTERN int
|
|
|
a46dbe |
@@ -481,39 +674,49 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
|
|
a46dbe |
memset(&tallies, 0, sizeof(tallies));
|
|
|
a46dbe |
|
|
|
a46dbe |
args_parse(pamh, argc, argv, flags, &opts);
|
|
|
a46dbe |
+ if (opts.fatal_error) {
|
|
|
a46dbe |
+ rv = PAM_BUF_ERR;
|
|
|
a46dbe |
+ goto err;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
|
|
|
a46dbe |
pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
|
|
|
a46dbe |
|
|
|
a46dbe |
if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
|
|
|
a46dbe |
- return rv;
|
|
|
a46dbe |
+ goto err;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
- switch (opts.action) {
|
|
|
a46dbe |
- case FAILLOCK_ACTION_PREAUTH:
|
|
|
a46dbe |
- rv = check_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
- if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
|
|
|
a46dbe |
- faillock_message(pamh, &opts);
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- break;
|
|
|
a46dbe |
-
|
|
|
a46dbe |
- case FAILLOCK_ACTION_AUTHSUCC:
|
|
|
a46dbe |
- rv = check_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
- if (rv == PAM_SUCCESS) {
|
|
|
a46dbe |
- reset_tally(pamh, &opts, &fd;;
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- break;
|
|
|
a46dbe |
-
|
|
|
a46dbe |
- case FAILLOCK_ACTION_AUTHFAIL:
|
|
|
a46dbe |
- rv = check_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
- if (rv == PAM_SUCCESS) {
|
|
|
a46dbe |
- rv = PAM_IGNORE; /* this return value should be ignored */
|
|
|
a46dbe |
- write_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
- }
|
|
|
a46dbe |
- break;
|
|
|
a46dbe |
+ if (!(opts.flags & FAILLOCK_FLAG_LOCAL_ONLY) ||
|
|
|
a46dbe |
+ check_local_user (pamh, opts.user) != 0) {
|
|
|
a46dbe |
+ switch (opts.action) {
|
|
|
a46dbe |
+ case FAILLOCK_ACTION_PREAUTH:
|
|
|
a46dbe |
+ rv = check_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
|
|
|
a46dbe |
+ faillock_message(pamh, &opts);
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ case FAILLOCK_ACTION_AUTHSUCC:
|
|
|
a46dbe |
+ rv = check_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
+ if (rv == PAM_SUCCESS) {
|
|
|
a46dbe |
+ reset_tally(pamh, &opts, &fd;;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ case FAILLOCK_ACTION_AUTHFAIL:
|
|
|
a46dbe |
+ rv = check_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
+ if (rv == PAM_SUCCESS) {
|
|
|
a46dbe |
+ rv = PAM_IGNORE; /* this return value should be ignored */
|
|
|
a46dbe |
+ write_tally(pamh, &opts, &tallies, &fd;;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+ break;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
tally_cleanup(&tallies, fd);
|
|
|
a46dbe |
|
|
|
a46dbe |
+err:
|
|
|
a46dbe |
+ opts_cleanup(&opts);
|
|
|
a46dbe |
+
|
|
|
a46dbe |
return rv;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
@@ -540,18 +743,29 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
|
|
a46dbe |
|
|
|
a46dbe |
args_parse(pamh, argc, argv, flags, &opts);
|
|
|
a46dbe |
|
|
|
a46dbe |
+ if (opts.fatal_error) {
|
|
|
a46dbe |
+ rv = PAM_BUF_ERR;
|
|
|
a46dbe |
+ goto err;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
+
|
|
|
a46dbe |
opts.action = FAILLOCK_ACTION_AUTHSUCC;
|
|
|
a46dbe |
|
|
|
a46dbe |
if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
|
|
|
a46dbe |
- return rv;
|
|
|
a46dbe |
+ goto err;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
- check_tally(pamh, &opts, &tallies, &fd;; /* for auditing */
|
|
|
a46dbe |
- reset_tally(pamh, &opts, &fd;;
|
|
|
a46dbe |
+ if (!(opts.flags & FAILLOCK_FLAG_LOCAL_ONLY) ||
|
|
|
a46dbe |
+ check_local_user (pamh, opts.user) != 0) {
|
|
|
a46dbe |
+ check_tally(pamh, &opts, &tallies, &fd;; /* for auditing */
|
|
|
a46dbe |
+ reset_tally(pamh, &opts, &fd;;
|
|
|
a46dbe |
+ }
|
|
|
a46dbe |
|
|
|
a46dbe |
tally_cleanup(&tallies, fd);
|
|
|
a46dbe |
|
|
|
a46dbe |
- return PAM_SUCCESS;
|
|
|
a46dbe |
+err:
|
|
|
a46dbe |
+ opts_cleanup(&opts);
|
|
|
a46dbe |
+
|
|
|
a46dbe |
+ return rv;
|
|
|
a46dbe |
}
|
|
|
a46dbe |
|
|
|
a46dbe |
/*-----------------------------------------------------------------------*/
|