diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | modules/pam_tally/pam_tally.8.xml | 26 | ||||
| -rw-r--r-- | modules/pam_tally/pam_tally.c | 51 |
4 files changed, 76 insertions, 14 deletions
@@ -1,3 +1,10 @@ +2008-07-09 Thorsten Kukuk <kukuk@thkukuk.de> + + * modules/pam_tally/pam_tally.c: Add support for silent and + no_log_info options. + * modules/pam_tally/pam_tally.8.xml: Document silent and + no_log_info options. + 2008-07-08 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_unix/passverify.c (verify_pwd_hash): Adjust debug @@ -3,11 +3,13 @@ Linux-PAM NEWS -- history of user-visible changes. Release 1.0.90 -* Supply hostname of the machine to netgroup match call in pam_access. +* Supply hostname of the machine to netgroup match call in pam_access * Make pam_namespace to work safe on child directories of parent directories - owned by users. + owned by users * Redifine LOCAL keyword of pam_access configuration file * Add support fro try_first_pass and use_first_pass to pam_cracklib +* Print informative messages for rejected login and add silent and + no_log_info options to pam_tally Release 1.0.1 diff --git a/modules/pam_tally/pam_tally.8.xml b/modules/pam_tally/pam_tally.8.xml index 4f89269e..68b69a30 100644 --- a/modules/pam_tally/pam_tally.8.xml +++ b/modules/pam_tally/pam_tally.8.xml @@ -51,6 +51,12 @@ <arg choice="opt"> audit </arg> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + no_log_info + </arg> </cmdsynopsis> <cmdsynopsis id="pam_tally-cmdsynopsis2"> <command>pam_tally</command> @@ -150,6 +156,26 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_log_info</option> + </term> + <listitem> + <para> + Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> </variablelist> </listitem> </varlistentry> diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index 8814659a..a01e1938 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -97,6 +97,8 @@ struct tally_options { #define OPT_NO_LOCK_TIME 020 #define OPT_NO_RESET 040 #define OPT_AUDIT 0100 +#define OPT_SILENT 0200 +#define OPT_NOLOGNOTICE 0400 /*---------------------------------------------------------------------*/ @@ -205,6 +207,12 @@ tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, else if ( ! strcmp ( *argv, "audit") ) { opts->ctrl |= OPT_AUDIT; } + else if ( ! strcmp ( *argv, "silent") ) { + opts->ctrl |= OPT_SILENT; + } + else if ( ! strcmp ( *argv, "no_log_info") ) { + opts->ctrl |= OPT_NOLOGNOTICE; + } else { pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } @@ -524,12 +532,17 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid, { if ( lock_time + oldtime > time(NULL) ) { - pam_syslog(pamh, LOG_NOTICE, - "user %s (%lu) has time limit [%lds left]" - " since last failure.", - user, (unsigned long int) uid, - oldtime+lock_time - -time(NULL)); + if (!(opts->ctrl & OPT_SILENT)) + pam_info (pamh, + _("Account temporary locked (%lds seconds left)"), + oldtime+lock_time-time(NULL)); + + if (!(opts->ctrl & OPT_NOLOGNOTICE)) + pam_syslog (pamh, LOG_NOTICE, + "user %s (%lu) has time limit [%lds left]" + " since last failure.", + user, (unsigned long int) uid, + oldtime+lock_time-time(NULL)); return PAM_AUTH_ERR; } } @@ -545,9 +558,14 @@ tally_check (time_t oldtime, pam_handle_t *pamh, uid_t uid, ( tally > deny ) && /* tally>deny means exceeded */ ( ((opts->ctrl & OPT_DENY_ROOT) || uid) ) /* even_deny stops uid check */ ) { - pam_syslog(pamh, LOG_NOTICE, - "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, - user, (unsigned long int) uid, tally, deny); + if (!(opts->ctrl & OPT_SILENT)) + pam_info (pamh, _("Accounted locked due to "TALLY_FMT" failed login"), + tally); + + if (!(opts->ctrl & OPT_NOLOGNOTICE)) + pam_syslog(pamh, LOG_NOTICE, + "user %s (%lu) tally "TALLY_FMT", deny "TALLY_FMT, + user, (unsigned long int) uid, tally, deny); return PAM_AUTH_ERR; /* Only unconditional failure */ } } @@ -594,7 +612,7 @@ tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts) #ifdef PAM_SM_AUTH PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { int @@ -612,6 +630,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, if ( rvcheck != PAM_SUCCESS ) RETURN_ERROR( rvcheck ); + if (flags & PAM_SILENT) + opts->ctrl |= OPT_SILENT; + rvcheck = pam_get_uid(pamh, &uid, &user, opts); if ( rvcheck != PAM_SUCCESS ) RETURN_ERROR( rvcheck ); @@ -625,7 +646,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { int @@ -643,6 +664,9 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); + if (flags & PAM_SILENT) + opts->ctrl |= OPT_SILENT; + rv = pam_get_uid(pamh, &uid, &user, opts); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); @@ -667,7 +691,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, /* To reset failcount of user on successfull login */ PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { int @@ -685,6 +709,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); + if (flags & PAM_SILENT) + opts->ctrl |= OPT_SILENT; + rv = pam_get_uid(pamh, &uid, &user, opts); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); |