summaryrefslogtreecommitdiff
path: root/modules/pam_tally
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2008-07-09 12:23:23 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2008-07-09 12:23:23 +0000
commit72fae03ec85016c4c443eb1c0195ed54b4423544 (patch)
treecb905058a80076edd7daf022cd3e1fdb05f59860 /modules/pam_tally
parenta56a27d91b53f6029760d6a0e38b44b46f086f87 (diff)
Relevant BUGIDs:
Purpose of commit: new feature Commit summary: --------------- 2008-07-09 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_tally/pam_tally.c: Add support for silent and no_log_info options. * modules/pam_tally/pam_tally.8.xml: Document silent and no_log_info options.
Diffstat (limited to 'modules/pam_tally')
-rw-r--r--modules/pam_tally/pam_tally.8.xml26
-rw-r--r--modules/pam_tally/pam_tally.c51
2 files changed, 65 insertions, 12 deletions
diff --git a/modules/pam_tally/pam_tally.8.xml b/modules/pam_tally/pam_tally.8.xml
index 4f89269e..68b69a30 100644
--- a/modules/pam_tally/pam_tally.8.xml
+++ b/modules/pam_tally/pam_tally.8.xml
@@ -51,6 +51,12 @@
<arg choice="opt">
audit
</arg>
+ <arg choice="opt">
+ silent
+ </arg>
+ <arg choice="opt">
+ no_log_info
+ </arg>
</cmdsynopsis>
<cmdsynopsis id="pam_tally-cmdsynopsis2">
<command>pam_tally</command>
@@ -150,6 +156,26 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>silent</option>
+ </term>
+ <listitem>
+ <para>
+ Don't print informative messages.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_log_info</option>
+ </term>
+ <listitem>
+ <para>
+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</listitem>
</varlistentry>
diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c
index 8814659a..a01e1938 100644
--- a/modules/pam_tally/pam_tally.c
+++ b/modules/pam_tally/pam_tally.c
@@ -97,6 +97,8 @@ struct tally_options {
#define OPT_NO_LOCK_TIME 020
#define OPT_NO_RESET 040
#define OPT_AUDIT 0100
+#define OPT_SILENT 0200
+#define OPT_NOLOGNOTICE 0400
/*---------------------------------------------------------------------*/
@@ -205,6 +207,12 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts,
else if ( ! strcmp ( *argv, "audit") ) {
opts->ctrl |= OPT_AUDIT;
}
+ else if ( ! strcmp ( *argv, "silent") ) {
+ opts->ctrl |= OPT_SILENT;
+ }
+ else if ( ! strcmp ( *argv, "no_log_info") ) {
+ opts->ctrl |= OPT_NOLOGNOTICE;
+ }
else {
pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
}
@@ -524,12 +532,17 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid,
{
if ( lock_time + oldtime > time(NULL) )
{
- pam_syslog(pamh, LOG_NOTICE,
- "user %s (%lu) has time limit [%lds left]"
- " since last failure.",
- user, (unsigned long int) uid,
- oldtime+lock_time
- -time(NULL));
+ if (!(opts->ctrl & OPT_SILENT))
+ pam_info (pamh,
+ _("Account temporary locked (%lds seconds left)"),
+ oldtime+lock_time-time(NULL));
+
+ if (!(opts->ctrl & OPT_NOLOGNOTICE))
+ pam_syslog (pamh, LOG_NOTICE,
+ "user %s (%lu) has time limit [%lds left]"
+ " since last failure.",
+ user, (unsigned long int) uid,
+ oldtime+lock_time-time(NULL));
return PAM_AUTH_ERR;
}
}
@@ -545,9 +558,14 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid,
( tally > deny ) && /* tally>deny means exceeded */
( ((opts->ctrl & OPT_DENY_ROOT) || uid) ) /* even_deny stops uid check */
) {
- pam_syslog(pamh, LOG_NOTICE,
- "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT,
- user, (unsigned long int) uid, tally, deny);
+ if (!(opts->ctrl & OPT_SILENT))
+ pam_info (pamh, _("Accounted locked due to "TALLY_FMT" failed login"),
+ tally);
+
+ if (!(opts->ctrl & OPT_NOLOGNOTICE))
+ pam_syslog(pamh, LOG_NOTICE,
+ "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT,
+ user, (unsigned long int) uid, tally, deny);
return PAM_AUTH_ERR; /* Only unconditional failure */
}
}
@@ -594,7 +612,7 @@ tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts)
#ifdef PAM_SM_AUTH
PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
int
@@ -612,6 +630,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
if ( rvcheck != PAM_SUCCESS )
RETURN_ERROR( rvcheck );
+ if (flags & PAM_SILENT)
+ opts->ctrl |= OPT_SILENT;
+
rvcheck = pam_get_uid(pamh, &uid, &user, opts);
if ( rvcheck != PAM_SUCCESS )
RETURN_ERROR( rvcheck );
@@ -625,7 +646,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
}
PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_setcred(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
int
@@ -643,6 +664,9 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
if ( rv != PAM_SUCCESS )
RETURN_ERROR( rv );
+ if (flags & PAM_SILENT)
+ opts->ctrl |= OPT_SILENT;
+
rv = pam_get_uid(pamh, &uid, &user, opts);
if ( rv != PAM_SUCCESS )
RETURN_ERROR( rv );
@@ -667,7 +691,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
/* To reset failcount of user on successfull login */
PAM_EXTERN int
-pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
int
@@ -685,6 +709,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
if ( rv != PAM_SUCCESS )
RETURN_ERROR( rv );
+ if (flags & PAM_SILENT)
+ opts->ctrl |= OPT_SILENT;
+
rv = pam_get_uid(pamh, &uid, &user, opts);
if ( rv != PAM_SUCCESS )
RETURN_ERROR( rv );