[pam] - add pam_faillock module implementing temporary account lock out based on authentication failures
Tomáš Mráz
tmraz at fedoraproject.org
Fri Sep 17 16:12:28 UTC 2010
commit b1302cff9c8a6dc9d265c57df5ada93005b20629
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Fri Sep 17 18:12:22 2010 +0200
- add pam_faillock module implementing temporary account lock out based
on authentication failures during a specified interval
- upgrade to new upstream release
pam-1.1.1-faillock.patch | 1694 ++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 1694 insertions(+), 0 deletions(-)
---
diff --git a/pam-1.1.1-faillock.patch b/pam-1.1.1-faillock.patch
new file mode 100644
index 0000000..b8f35a3
--- /dev/null
+++ b/pam-1.1.1-faillock.patch
@@ -0,0 +1,1694 @@
+diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
+--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200
+@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+ modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ modules/pam_echo/Makefile modules/pam_env/Makefile \
+- modules/pam_faildelay/Makefile \
++ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
+ modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
+ modules/pam_ftp/Makefile modules/pam_group/Makefile \
+ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
+diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
+--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200
++++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200
+@@ -0,0 +1,38 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
++ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
++<section id='sag-pam_faillock'>
++ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
++ <cmdsynopsis>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
++ </cmdsynopsis>
++ <cmdsynopsis>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
++ </cmdsynopsis>
++ <section id='sag-pam_faillock-description'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-options'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-types'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-return_values'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-examples'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-author'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
++ </section>
++</section>
+diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
+--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200
+@@ -3,7 +3,7 @@
+ #
+
+ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+- pam_chroot pam_console pam_postgresok \
++ pam_chroot pam_console pam_postgresok pam_faillock \
+ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_listfile pam_localuser pam_loginuid pam_mail \
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
+--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,142 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz at redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++#include <string.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/file.h>
++#include <fcntl.h>
++#include <security/pam_modutil.h>
++
++#include "faillock.h"
++
++int
++open_tally (const char *dir, const char *user, int create)
++{
++ char *path;
++ int flags = O_RDWR;
++ int fd;
++
++ path = malloc(strlen(dir) + strlen(user) + 2);
++ if (path == NULL)
++ return -1;
++
++ strcpy(path, dir);
++ if (*dir && dir[strlen(dir) - 1] != '/') {
++ strcat(path, "/");
++ }
++ strcat(path, user);
++
++ if (create) {
++ flags |= O_CREAT;
++ }
++
++ fd = open(path, flags, 0600);
++
++ if (fd != -1)
++ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
++
++ return fd;
++}
++
++#define CHUNK_SIZE (64 * sizeof(struct tally))
++#define MAX_RECORDS 1024
++
++int
++read_tally(int fd, struct tally_data *tallies)
++{
++ void *data = NULL, *newdata;
++ unsigned int count = 0;
++ ssize_t chunk = 0;
++
++ do {
++ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE);
++ if (newdata == NULL) {
++ free(data);
++ return -1;
++ }
++
++ data = newdata;
++
++ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE);
++ if (chunk < 0) {
++ free(data);
++ return -1;
++ }
++
++ count += chunk/sizeof(struct tally);
++
++ if (count >= MAX_RECORDS)
++ break;
++ }
++ while (chunk == CHUNK_SIZE);
++
++ tallies->records = data;
++ tallies->count = count;
++
++ return 0;
++}
++
++int
++update_tally(int fd, struct tally_data *tallies)
++{
++ void *data = tallies->records;
++ unsigned int count = tallies->count;
++ ssize_t chunk;
++
++ if (tallies->count > MAX_RECORDS) {
++ data = tallies->records + (count - MAX_RECORDS);
++ count = MAX_RECORDS;
++ }
++
++ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
++ return -1;
++ }
++
++ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally));
++
++ if (chunk != (ssize_t)(count * sizeof(struct tally))) {
++ return -1;
++ }
++
++ if (ftruncate(fd, count * sizeof(struct tally)) == -1)
++ return -1;
++
++ return 0;
++}
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
+--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,72 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz at redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/*
++ * faillock.h - authentication failure data file record structure
++ *
++ * Each record in the file represents an instance of login failure of
++ * the user at the recorded time
++ */
++
++
++#ifndef _FAILLOCK_H
++#define _FAILLOCK_H
++
++#include <stdint.h>
++
++#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
++#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
++#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */
++
++struct tally {
++ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */
++ uint16_t reserved; /* reserved for future use */
++ uint16_t status; /* record status */
++ uint64_t time; /* time of the login failure */
++};
++/* 64 bytes per entry */
++
++struct tally_data {
++ struct tally *records; /* array of tallies */
++ unsigned int count; /* number of records */
++};
++
++#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
++
++int open_tally(const char *dir, const char *user, int create);
++int read_tally(int fd, struct tally_data *tallies);
++int update_tally(int fd, struct tally_data *tallies);
++#endif
++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
+--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,123 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="faillock">
++
++ <refmeta>
++ <refentrytitle>faillock</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++ </refmeta>
++
++ <refnamediv id="pam_faillock-name">
++ <refname>faillock</refname>
++ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis id="faillock-cmdsynopsis">
++ <command>faillock</command>
++ <arg choice="opt">
++ --dir <replaceable>/path/to/tally-directory</replaceable>
++ </arg>
++ <arg choice="opt">
++ --user <replaceable>username</replaceable>
++ </arg>
++ <arg choice="opt">
++ --reset
++ </arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id="faillock-description">
++
++ <title>DESCRIPTION</title>
++
++ <para>
++ The <emphasis>pam_faillock.so</emphasis> module maintains a list of
++ failed authentication attempts per user during a specified interval
++ and locks the account in case there were more than
++ <replaceable>deny</replaceable> consecutive failed authentications.
++ It stores the failure records into per-user files in the tally
++ directory.
++ </para>
++ <para>
++ The <command>faillock</command> command is an application which
++ can be used to examine and modify the contents of the
++ the tally files. It can display the recent failed authentication
++ attempts of the <replaceable>username</replaceable> or clear the tally
++ files of all or individual <replaceable>usernames</replaceable>.
++ </para>
++ </refsect1>
++
++ <refsect1 id="faillock-options">
++
++ <title>OPTIONS</title>
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The directory where the user files with the failure records are kept. The
++ default is <filename>/var/run/faillock</filename>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>--user <replaceable>username</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The user whose failure records should be displayed or cleared.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>--reset</option>
++ </term>
++ <listitem>
++ <para>
++ Instead of displaying the user's failure records, clear them.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id="faillock-files">
++ <title>FILES</title>
++ <variablelist>
++ <varlistentry>
++ <term><filename>/var/run/faillock/*</filename></term>
++ <listitem>
++ <para>the files logging the authentication failures for users</para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='faillock-see_also'>
++ <title>SEE ALSO</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++
++ <refsect1 id='faillock-author'>
++ <title>AUTHOR</title>
++ <para>
++ faillock was written by Tomas Mraz.
++ </para>
++ </refsect1>
++
++</refentry>
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,231 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz at redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <dirent.h>
++#include <errno.h>
++#include <pwd.h>
++#include <time.h>
++#ifdef HAVE_LIBAUDIT
++#include <libaudit.h>
++#endif
++
++#include "faillock.h"
++
++struct options {
++ unsigned int reset;
++ const char *dir;
++ const char *user;
++ const char *progname;
++};
++
++static int
++args_parse(int argc, char **argv, struct options *opts)
++{
++ int i;
++ memset(opts, 0, sizeof(*opts));
++
++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
++ opts->progname = argv[0];
++
++ for (i = 1; i < argc; ++i) {
++
++ if (strcmp(argv[i], "--dir") == 0) {
++ ++i;
++ if (i >= argc || strlen(argv[i]) == 0) {
++ fprintf(stderr, "%s: No directory supplied.\n", argv[0]);
++ return -1;
++ }
++ opts->dir = argv[i];
++ }
++ else if (strcmp(argv[i], "--user") == 0) {
++ ++i;
++ if (i >= argc || strlen(argv[i]) == 0) {
++ fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
++ return -1;
++ }
++ opts->user = argv[i];
++ }
++ else if (strcmp(argv[i], "--reset") == 0) {
++ opts->reset = 1;
++ }
++ else {
++ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]);
++ return -1;
++ }
++ }
++ return 0;
++}
++
++static void
++usage(const char *progname)
++{
++ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"),
++ progname);
++}
++
++static int
++do_user(struct options *opts, const char *user)
++{
++ int fd;
++ int rv;
++ struct tally_data tallies;
++
++ fd = open_tally(opts->dir, user, 0);
++
++ if (fd == -1) {
++ if (errno == ENOENT) {
++ return 0;
++ }
++ else {
++ fprintf(stderr, "%s: Error opening the tally file for %s:",
++ opts->progname, user);
++ perror(NULL);
++ return 3;
++ }
++ }
++ if (opts->reset) {
++#ifdef HAVE_LIBAUDIT
++ char buf[64];
++ int audit_fd;
++#endif
++
++ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR);
++ if (rv == -1) {
++ fprintf(stderr, "%s: Error clearing the tally file for %s:",
++ opts->progname, user);
++ perror(NULL);
++#ifdef HAVE_LIBAUDIT
++ }
++ if ((audit_fd=audit_open()) >= 0) {
++ struct passwd *pwd;
++
++ if ((pwd=getpwnam(user)) != NULL) {
++ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
++ pwd->pw_uid);
++ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
++ buf, NULL, NULL, NULL, rv == 0);
++ }
++ close(audit_fd);
++ }
++ if (rv == -1) {
++#endif
++ close(fd);
++ return 4;
++ }
++ }
++ else {
++ unsigned int i;
++
++ memset(&tallies, 0, sizeof(tallies));
++ if ((rv=read_tally(fd, &tallies)) == -1) {
++ fprintf(stderr, "%s: Error reading the tally file for %s:",
++ opts->progname, user);
++ perror(NULL);
++ close(fd);
++ return 5;
++ }
++
++ printf("%s:\n", user);
++ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid");
++
++ for (i = 0; i < tallies.count; i++) {
++ struct tm *tm;
++ char timebuf[80];
++ uint16_t status = tallies.records[i].status;
++ time_t when = tallies.records[i].time;
++
++ tm = localtime(&when);
++ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm);
++ printf("%-19s %-5s %-52.52s %s\n", timebuf,
++ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
++ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
++ }
++ }
++ free(tallies.records);
++ close(fd);
++ return 0;
++}
++
++static int
++do_allusers(struct options *opts)
++{
++ struct dirent **userlist;
++ int rv, i;
++
++ rv = scandir(opts->dir, &userlist, NULL, alphasort);
++ if (rv < 0) {
++ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);
++ perror(NULL);
++ return 2;
++ }
++
++ for (i = 0; i < rv; i++) {
++ if (userlist[i]->d_name[0] == '.') {
++ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') ||
++ userlist[i]->d_name[1] == '\0')
++ continue;
++ }
++ do_user(opts, userlist[i]->d_name);
++ free(userlist[i]);
++ }
++ free(userlist);
++
++ return 0;
++}
++
++
++/*-----------------------------------------------------------------------*/
++int
++main (int argc, char *argv[])
++{
++ struct options opts;
++
++ if (args_parse(argc, argv, &opts)) {
++ usage(argv[0]);
++ return 1;
++ }
++
++ if (opts.user == NULL) {
++ return do_allusers(&opts);
++ }
++
++ return do_user(&opts, opts.user);
++}
++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
+--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,43 @@
++#
++# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk at thkukuk.de>
++# Copyright (c) 2008 Red Hat, Inc.
++# Copyright (c) 2010 Tomas Mraz <tmraz at redhat.com>
++#
++
++CLEANFILES = *~
++MAINTAINERCLEANFILES = $(MANS) README
++
++EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock
++
++man_MANS = pam_faillock.8 faillock.8
++XMLS = README.xml pam_faillock.8.xml faillock.8.xml
++
++TESTS = tst-pam_faillock
++
++securelibdir = $(SECUREDIR)
++secureconfdir = $(SCONFIGDIR)
++
++noinst_HEADERS = faillock.h
++
++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
++pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
++
++pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
++pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
++if HAVE_VERSIONING
++ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
++endif
++
++faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
++
++securelib_LTLIBRARIES = pam_faillock.la
++sbin_PROGRAMS = faillock
++
++pam_faillock_la_SOURCES = pam_faillock.c faillock.c
++faillock_SOURCES = main.c faillock.c
++
++if ENABLE_REGENERATE_MAN
++noinst_DATA = README
++README: pam_faillock.8.xml
++-include $(top_srcdir)/Make.xml.rules
++endif
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,548 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz at redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++#include <stdio.h>
++#include <string.h>
++#include <unistd.h>
++#include <stdint.h>
++#include <stdlib.h>
++#include <errno.h>
++#include <time.h>
++#include <pwd.h>
++#include <syslog.h>
++
++#ifdef HAVE_LIBAUDIT
++#include <libaudit.h>
++#endif
++
++#include <security/pam_modules.h>
++#include <security/pam_modutil.h>
++#include <security/pam_ext.h>
++
++#include "faillock.h"
++
++#define PAM_SM_AUTH
++#define PAM_SM_ACCOUNT
++
++#define FAILLOCK_ACTION_PREAUTH 0
++#define FAILLOCK_ACTION_AUTHSUCC 1
++#define FAILLOCK_ACTION_AUTHFAIL 2
++
++#define FAILLOCK_FLAG_DENY_ROOT 0x1
++#define FAILLOCK_FLAG_AUDIT 0x2
++#define FAILLOCK_FLAG_SILENT 0x4
++#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
++#define FAILLOCK_FLAG_UNLOCKED 0x10
++
++#define MAX_TIME_INTERVAL 604800 /* 7 days */
++
++struct options {
++ unsigned int action;
++ unsigned int flags;
++ unsigned short deny;
++ unsigned int fail_interval;
++ unsigned int unlock_time;
++ unsigned int root_unlock_time;
++ const char *dir;
++ const char *user;
++ int failures;
++ uint64_t latest_time;
++ uid_t uid;
++ uint64_t now;
++};
++
++static void
++args_parse(pam_handle_t *pamh, int argc, const char **argv,
++ int flags, struct options *opts)
++{
++ int i;
++ memset(opts, 0, sizeof(*opts));
++
++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
++ opts->deny = 3;
++ opts->fail_interval = 900;
++ opts->unlock_time = 600;
++ opts->root_unlock_time = MAX_TIME_INTERVAL+1;
++
++ for (i = 0; i < argc; ++i) {
++
++ if (strncmp(argv[i], "dir=", 4) == 0) {
++ if (argv[i][4] != '/') {
++ pam_syslog(pamh, LOG_ERR,
++ "Tally directory is not absolute path (%s); keeping default", argv[i]);
++ } else {
++ opts->dir = argv[i]+4;
++ }
++ }
++ else if (strncmp(argv[i], "deny=", 5) == 0) {
++ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for deny argument");
++ }
++ }
++ else if (strncmp(argv[i], "fail_interval=", 14) == 0) {
++ unsigned int temp;
++ if (sscanf(argv[i]+14, "%u", &temp) != 1 ||
++ temp > MAX_TIME_INTERVAL) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for fail_interval argument");
++ } else {
++ opts->fail_interval = temp;
++ }
++ }
++ else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
++ unsigned int temp;
++ if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
++ temp > MAX_TIME_INTERVAL) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for unlock_time argument");
++ } else {
++ opts->unlock_time = temp;
++ }
++ }
++ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
++ unsigned int temp;
++ if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
++ temp > MAX_TIME_INTERVAL) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for root_unlock_time argument");
++ } else {
++ opts->root_unlock_time = temp;
++ }
++ }
++ else if (strcmp(argv[i], "preauth") == 0) {
++ opts->action = FAILLOCK_ACTION_PREAUTH;
++ }
++ else if (strcmp(argv[i], "authfail") == 0) {
++ opts->action = FAILLOCK_ACTION_AUTHFAIL;
++ }
++ else if (strcmp(argv[i], "authsucc") == 0) {
++ opts->action = FAILLOCK_ACTION_AUTHSUCC;
++ }
++ else if (strcmp(argv[i], "even_deny_root") == 0) {
++ opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
++ }
++ else if (strcmp(argv[i], "audit") == 0) {
++ opts->flags |= FAILLOCK_FLAG_AUDIT;
++ }
++ else if (strcmp(argv[i], "silent") == 0) {
++ opts->flags |= FAILLOCK_FLAG_SILENT;
++ }
++ else if (strcmp(argv[i], "no_log_info") == 0) {
++ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
++ }
++ else {
++ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]);
++ }
++ }
++
++ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
++ opts->root_unlock_time = opts->unlock_time;
++ if (flags & PAM_SILENT)
++ opts->flags |= FAILLOCK_FLAG_SILENT;
++}
++
++static int get_pam_user(pam_handle_t *pamh, struct options *opts)
++{
++ const char *user;
++ int rv;
++ struct passwd *pwd;
++
++ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
++ return rv;
++ }
++
++ if (*user == '\0') {
++ return PAM_USER_UNKNOWN;
++ }
++
++ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
++ if (opts->flags & FAILLOCK_FLAG_AUDIT) {
++ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user);
++ }
++ else {
++ pam_syslog(pamh, LOG_ERR, "User unknown");
++ }
++ return PAM_USER_UNKNOWN;
++ }
++ opts->user = user;
++ opts->uid = pwd->pw_uid;
++ return PAM_SUCCESS;
++}
++
++static int
++check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
++{
++ int tfd;
++ unsigned int i;
++ uint64_t latest_time;
++ int failures;
++
++ opts->now = time(NULL);
++
++ tfd = open_tally(opts->dir, opts->user, 0);
++
++ *fd = tfd;
++
++ if (tfd == -1) {
++ if (errno == EACCES || errno == ENOENT) {
++ return PAM_SUCCESS;
++ }
++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
++ return PAM_SYSTEM_ERR;
++ }
++
++ if (read_tally(tfd, tallies) != 0) {
++ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user);
++ return PAM_SYSTEM_ERR;
++ }
++
++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ return PAM_SUCCESS;
++ }
++
++ latest_time = 0;
++ for(i = 0; i < tallies->count; i++) {
++ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
++ tallies->records[i].time > latest_time)
++ latest_time = tallies->records[i].time;
++ }
++
++ opts->latest_time = latest_time;
++
++ failures = 0;
++ for(i = 0; i < tallies->count; i++) {
++ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
++ latest_time - tallies->records[i].time < opts->fail_interval) {
++ ++failures;
++ }
++ }
++
++ opts->failures = failures;
++
++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ return PAM_SUCCESS;
++ }
++
++ if (opts->deny && failures >= opts->deny) {
++ if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
++ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
++#ifdef HAVE_LIBAUDIT
++ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
++ char buf[64];
++ int audit_fd;
++
++ audit_fd = audit_open();
++ /* If there is an error & audit support is in the kernel report error */
++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT))
++ return PAM_SYSTEM_ERR;
++
++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
++ NULL, NULL, NULL, 1);
++ }
++#endif
++ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
++ return PAM_SUCCESS;
++ }
++ return PAM_AUTH_ERR;
++ }
++ return PAM_SUCCESS;
++}
++
++static void
++reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
++{
++ int rv;
++
++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
++ if (rv == -1) {
++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
++ }
++}
++
++static int
++write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
++{
++ struct tally *records;
++ unsigned int i;
++ int failures;
++ unsigned int oldest;
++ uint64_t oldtime;
++ const void *source = NULL;
++
++ if (*fd == -1) {
++ *fd = open_tally(opts->dir, opts->user, 1);
++ }
++ if (*fd == -1) {
++ if (errno == EACCES) {
++ return PAM_SUCCESS;
++ }
++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
++ return PAM_SYSTEM_ERR;
++ }
++
++ oldtime = 0;
++ oldest = 0;
++ failures = 0;
++
++ for (i = 0; i < tallies->count; ++i) {
++ if (tallies->records[i].time < oldtime) {
++ oldtime = tallies->records[i].time;
++ oldest = i;
++ }
++ if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
++ opts->now - tallies->records[i].time >= opts->fail_interval ) {
++ tallies->records[i].status &= ~TALLY_STATUS_VALID;
++ } else {
++ ++failures;
++ }
++ }
++
++ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) {
++ oldest = tallies->count;
++
++ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) {
++ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m");
++ return PAM_BUF_ERR;
++ }
++
++ ++tallies->count;
++ tallies->records = records;
++ }
++
++ memset(&tallies->records[oldest], 0, sizeof (*tallies->records));
++
++ tallies->records[oldest].status = TALLY_STATUS_VALID;
++ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) {
++ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) {
++ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) {
++ source = "";
++ }
++ }
++ else {
++ tallies->records[oldest].status |= TALLY_STATUS_TTY;
++ }
++ }
++ else {
++ tallies->records[oldest].status |= TALLY_STATUS_RHOST;
++ }
++
++ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source));
++ /* source does not have to be null terminated */
++
++ tallies->records[oldest].time = opts->now;
++
++ ++failures;
++
++ if (opts->deny && failures == opts->deny) {
++#ifdef HAVE_LIBAUDIT
++ char buf[64];
++ int audit_fd;
++
++ audit_fd = audit_open();
++ /* If there is an error & audit support is in the kernel report error */
++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT))
++ return PAM_SYSTEM_ERR;
++
++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
++ NULL, NULL, NULL, 1);
++
++ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
++ NULL, NULL, NULL, 1);
++ }
++ close(audit_fd);
++#endif
++ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
++ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
++ opts->user);
++ }
++ }
++
++ if (update_tally(*fd, tallies) == 0)
++ return PAM_SUCCESS;
++
++ return PAM_SYSTEM_ERR;
++}
++
++static void
++faillock_message(pam_handle_t *pamh, struct options *opts)
++{
++ int64_t left;
++
++ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
++ if (opts->uid) {
++ left = opts->latest_time + opts->unlock_time - opts->now;
++ }
++ else {
++ left = opts->latest_time + opts->root_unlock_time - opts->now;
++ }
++
++ left /= 60; /* minutes */
++
++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
++ opts->failures);
++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++ }
++}
++
++static void
++tally_cleanup(struct tally_data *tallies, int fd)
++{
++ if (fd != -1) {
++ close(fd);
++ }
++
++ free(tallies->records);
++}
++
++/*---------------------------------------------------------------------*/
++
++PAM_EXTERN int
++pam_sm_authenticate(pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
++{
++ struct options opts;
++ int rv, fd = -1;
++ struct tally_data tallies;
++
++ memset(&tallies, 0, sizeof(tallies));
++
++ args_parse(pamh, argc, argv, flags, &opts);
++
++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
++ return rv;
++ }
++
++ switch (opts.action) {
++ case FAILLOCK_ACTION_PREAUTH:
++ rv = check_tally(pamh, &opts, &tallies, &fd);
++ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
++ faillock_message(pamh, &opts);
++ }
++ break;
++
++ case FAILLOCK_ACTION_AUTHSUCC:
++ rv = check_tally(pamh, &opts, &tallies, &fd);
++ if (rv == PAM_SUCCESS && fd != -1) {
++ reset_tally(pamh, &opts, &fd);
++ }
++ break;
++
++ case FAILLOCK_ACTION_AUTHFAIL:
++ rv = check_tally(pamh, &opts, &tallies, &fd);
++ if (rv == PAM_SUCCESS) {
++ rv = PAM_IGNORE; /* this return value should be ignored */
++ write_tally(pamh, &opts, &tallies, &fd);
++ }
++ break;
++ }
++
++ tally_cleanup(&tallies, fd);
++
++ return rv;
++}
++
++/*---------------------------------------------------------------------*/
++
++PAM_EXTERN int
++pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
++ int argc UNUSED, const char **argv UNUSED)
++{
++ return PAM_SUCCESS;
++}
++
++/*---------------------------------------------------------------------*/
++
++PAM_EXTERN int
++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
++{
++ struct options opts;
++ int rv, fd = -1;
++ struct tally_data tallies;
++
++ memset(&tallies, 0, sizeof(tallies));
++
++ args_parse(pamh, argc, argv, flags, &opts);
++
++ opts.action = FAILLOCK_ACTION_AUTHSUCC;
++
++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
++ return rv;
++ }
++
++ check_tally(pamh, &opts, &tallies, &fd);
++ if (fd != -1) {
++ reset_tally(pamh, &opts, &fd);
++ }
++
++ tally_cleanup(&tallies, fd);
++
++ return PAM_SUCCESS;
++}
++
++/*-----------------------------------------------------------------------*/
++
++#ifdef PAM_STATIC
++
++/* static module data */
++
++struct pam_module _pam_faillock_modstruct = {
++ MODULE_NAME,
++#ifdef PAM_SM_AUTH
++ pam_sm_authenticate,
++ pam_sm_setcred,
++#else
++ NULL,
++ NULL,
++#endif
++#ifdef PAM_SM_ACCOUNT
++ pam_sm_acct_mgmt,
++#else
++ NULL,
++#endif
++ NULL,
++ NULL,
++ NULL,
++};
++
++#endif /* #ifdef PAM_STATIC */
++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,385 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="pam_faillock">
++
++ <refmeta>
++ <refentrytitle>pam_faillock</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++ </refmeta>
++
++ <refnamediv id="pam_faillock-name">
++ <refname>pam_faillock</refname>
++ <refpurpose>Module counting authentication failures during a specified interval</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis id="pam_faillock-cmdsynopsisauth">
++ <command>auth ... pam_faillock.so</command>
++ <arg choice="req">
++ preauth|authfail|authsucc
++ </arg>
++ <arg choice="opt">
++ dir=<replaceable>/path/to/tally-directory</replaceable>
++ </arg>
++ <arg choice="opt">
++ even_deny_root
++ </arg>
++ <arg choice="opt">
++ deny=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ fail_interval=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ unlock_time=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ root_unlock_time=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ audit
++ </arg>
++ <arg choice="opt">
++ silent
++ </arg>
++ <arg choice="opt">
++ no_log_info
++ </arg>
++ </cmdsynopsis>
++ <cmdsynopsis id="pam_faillock-cmdsynopsisacct">
++ <command>account ... pam_faillock.so</command>
++ <arg choice="opt">
++ dir=<replaceable>/path/to/tally-directory</replaceable>
++ </arg>
++ <arg choice="opt">
++ no_log_info
++ </arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id="pam_faillock-description">
++
++ <title>DESCRIPTION</title>
++
++ <para>
++ This module maintains a list of failed authentication attempts per
++ user during a specified interval and locks the account in case
++ there were more than <replaceable>deny</replaceable> consecutive
++ failed authentications.
++ </para>
++ <para>
++ Normally, failed attempts to authenticate <emphasis>root</emphasis> will
++ <emphasis remap='B'>not</emphasis> cause the root account to become
++ blocked, to prevent denial-of-service: if your users aren't given
++ shell accounts and root may only login via <command>su</command> or
++ at the machine console (not telnet/rsh, etc), this is safe.
++ </para>
++ </refsect1>
++
++ <refsect1 id="pam_faillock-options">
++
++ <title>OPTIONS</title>
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>{preauth|authfail|authsucc}</option>
++ </term>
++ <listitem>
++ <para>
++ This argument must be set accordingly to the position of this module
++ instance in the PAM stack.
++ </para>
++ <para>
++ The <emphasis>preauth</emphasis> argument must be used when the module
++ is called before the modules which ask for the user credentials such
++ as the password. The module just examines whether the user should
++ be blocked from accessing the service in case there were anomalous
++ number of failed consecutive authentication attempts recently. This
++ call is optional if <emphasis>authsucc</emphasis> is used.
++ </para>
++ <para>
++ The <emphasis>authfail</emphasis> argument must be used when the module
++ is called after the modules which determine the authentication outcome,
++ failed. Unless the user is already blocked due to previous authentication
++ failures, the module will record the failure into the appropriate user
++ tally file.
++ </para>
++ <para>
++ The <emphasis>authsucc</emphasis> argument must be used when the module
++ is called after the modules which determine the authentication outcome,
++ succeded. Unless the user is already blocked due to previous authentication
++ failures, the module will then clear the record of the failures in the
++ respective user tally file. Otherwise it will return authentication error.
++ If this call is not done, the pam_faillock will not distinguish between
++ consecutive and non-consecutive failed authentication attempts. The
++ <emphasis>preauth</emphasis> call must be used in such case. Due to
++ complications in the way the PAM stack can be configured it is also
++ possible to call <emphasis>pam_faillock</emphasis> as an account module.
++ In such configuration the module must be also called in the
++ <emphasis>preauth</emphasis> stage.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The directory where the user files with the failure records are kept. The
++ default is <filename>/var/run/faillock</filename>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>audit</option>
++ </term>
++ <listitem>
++ <para>
++ Will log the user name into the system log if the user is not found.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>silent</option>
++ </term>
++ <listitem>
++ <para>
++ Don't print informative messages. This option is implicite
++ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>
++ functions.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>no_log_info</option>
++ </term>
++ <listitem>
++ <para>
++ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>deny=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ Deny access if the number of consecutive authentication failures
++ for this user during the recent interval exceeds
++ <replaceable>n</replaceable>. The default is 3.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>fail_interval=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The length of the interval during which the consecutive
++ authentication failures must happen for the user account
++ lock out is <replaceable>n</replaceable> seconds.
++ The default is 900 (15 minutes).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>unlock_time=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The access will be reenabled after
++ <replaceable>n</replaceable> seconds after the lock out.
++ The default is 600 (10 minutes).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>even_deny_root</option>
++ </term>
++ <listitem>
++ <para>
++ Root account can become locked as well as regular accounts.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>root_unlock_time=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ This option implies <option>even_deny_root</option> option.
++ Allow access after <replaceable>n</replaceable> seconds
++ to root account after the account is locked. In case the
++ option is not specified the value is the same as of the
++ <option>unlock_time</option> option.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id="pam_faillock-types">
++ <title>MODULE TYPES PROVIDED</title>
++ <para>
++ The <option>auth</option> and <option>account</option> module types are
++ provided.
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-return_values'>
++ <title>RETURN VALUES</title>
++ <variablelist>
++ <varlistentry>
++ <term>PAM_AUTH_ERR</term>
++ <listitem>
++ <para>
++ A invalid option was given, the module was not able
++ to retrieve the user name, no valid counter file
++ was found, or too many failed logins.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_SUCCESS</term>
++ <listitem>
++ <para>
++ Everything was successful.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_USER_UNKNOWN</term>
++ <listitem>
++ <para>
++ User not known.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-notes'>
++ <title>NOTES</title>
++ <para>
++ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different
++ from the <emphasis>pam_tally2</emphasis> module setup.
++ </para>
++ <para>
++ There is no setuid wrapper for access to the data file such as when the
++ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
++ a screensaver. As this would make it impossible to share PAM configuration
++ with such services the following workaround is used: If the data file
++ cannot be opened because of insufficient permissions
++ (<errorcode>EACCES</errorcode>) the module returns
++ <errorcode>PAM_SUCCESS</errorcode>.
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-examples'>
++ <title>EXAMPLES</title>
++ <para>
++ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>.
++ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive
++ failed logins during the default interval of 15 minutes. Root account will be locked
++ as well. The accounts will be automatically unlocked after 20 minutes.
++ </para>
++ <para>
++ In the first example the module is called only in the <emphasis>auth</emphasis>
++ phase and the module does not print any information about the account blocking
++ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can
++ be added to tell the user that his login is blocked by the module and also to abort
++ the authentication without even asking for password in such case.
++ </para>
++ <programlisting>
++auth required pam_securetty.so
++auth required pam_env.so
++auth required pam_nologin.so
++# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
++auth [success=1 default=bad] pam_unix.so
++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
++auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
++auth required pam_deny.so
++account required pam_unix.so
++password required pam_unix.so shadow
++session required pam_selinux.so close
++session required pam_loginuid.so
++session required pam_unix.so
++session required pam_selinux.so open
++ </programlisting>
++ <para>
++ In the second example the module is called both in the <emphasis>auth</emphasis>
++ and <emphasis>account</emphasis> phases and the module gives the authenticating
++ user message when the account is locked
++ </para>
++ <programlisting>
++auth required pam_securetty.so
++auth required pam_env.so
++auth required pam_nologin.so
++auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
++# optionally use required above if you still want to prompt for the password
++# on locked accounts.
++auth sufficient pam_unix.so
++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
++auth required pam_deny.so
++account required pam_faillock.so
++# if you drop the above call to pam_faillock.so the lock will be done also
++# on non-consecutive authentication failures
++account required pam_unix.so
++password required pam_unix.so shadow
++session required pam_selinux.so close
++session required pam_loginuid.so
++session required pam_unix.so
++session required pam_selinux.so open
++ </programlisting>
++ </refsect1>
++
++ <refsect1 id="pam_faillock-files">
++ <title>FILES</title>
++ <variablelist>
++ <varlistentry>
++ <term><filename>/var/run/faillock/*</filename></term>
++ <listitem>
++ <para>the files logging the authentication failures for users</para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-see_also'>
++ <title>SEE ALSO</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-author'>
++ <title>AUTHOR</title>
++ <para>
++ pam_faillock was written by Tomas Mraz.
++ </para>
++ </refsect1>
++
++</refentry>
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
+--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,46 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++"http://www.docbook.org/xml/4.3/docbookx.dtd"
++[
++<!--
++<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml">
++-->
++]>
++
++<article>
++
++ <articleinfo>
++
++ <title>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/>
++ </title>
++
++ </articleinfo>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
++ </section>
++
++</article>
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
+--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,2 @@
++#!/bin/sh
++../../tests/tst-dlopen .libs/pam_faillock.so
More information about the scm-commits
mailing list