summaryrefslogtreecommitdiff
path: root/modules/pam_faildelay/pam_faildelay.c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_faildelay/pam_faildelay.c')
-rw-r--r--modules/pam_faildelay/pam_faildelay.c110
1 files changed, 109 insertions, 1 deletions
diff --git a/modules/pam_faildelay/pam_faildelay.c b/modules/pam_faildelay/pam_faildelay.c
index 0fa910b7..16cb7458 100644
--- a/modules/pam_faildelay/pam_faildelay.c
+++ b/modules/pam_faildelay/pam_faildelay.c
@@ -11,10 +11,16 @@
* auth required pam_faildelay.so delay=10000000
* will set the delay on failure to 10 seconds.
*
+ * If no delay option was given, pam_faildelay.so will use the
+ * FAIL_DELAY value of /etc/login.defs.
*
* Based on pam_rootok and parts of pam_unix both by Andrew Morgan
* <morgan@linux.kernel.org>
*
+ * Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
+ * - Rewrite to use extended PAM functions
+ * - Add /etc/login.defs support
+ *
* Portions Copyright (c) 2005 Darren Tucker <dtucker at zip com au>.
*
* Redistribution and use in source and binary forms of, with
@@ -55,10 +61,14 @@
#include "config.h"
+#include <errno.h>
+#include <ctype.h>
#include <stdio.h>
+#include <limits.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>
+#include <stdlib.h>
#define PAM_SM_AUTH
@@ -67,6 +77,79 @@
#include <security/pam_ext.h>
+#define BUF_SIZE 8192
+#define LOGIN_DEFS "/etc/login.defs"
+
+static char *
+search_key (const char *filename)
+{
+ FILE *fp;
+ char *buf = NULL;
+ size_t buflen = 0;
+ char *retval = NULL;
+
+ fp = fopen (filename, "r");
+ if (NULL == fp)
+ return NULL;
+
+ while (!feof (fp))
+ {
+ char *tmp, *cp;
+#if defined(HAVE_GETLINE)
+ ssize_t n = getline (&buf, &buflen, fp);
+#elif defined (HAVE_GETDELIM)
+ ssize_t n = getdelim (&buf, &buflen, '\n', fp);
+#else
+ ssize_t n;
+
+ if (buf == NULL)
+ {
+ buflen = BUF_SIZE;
+ buf = malloc (buflen);
+ }
+ buf[0] = '\0';
+ if (fgets (buf, buflen - 1, fp) == NULL)
+ break;
+ else if (buf != NULL)
+ n = strlen (buf);
+ else
+ n = 0;
+#endif /* HAVE_GETLINE / HAVE_GETDELIM */
+ cp = buf;
+
+ if (n < 1)
+ break;
+
+ tmp = strchr (cp, '#'); /* remove comments */
+ if (tmp)
+ *tmp = '\0';
+ while (isspace ((int)*cp)) /* remove spaces and tabs */
+ ++cp;
+ if (*cp == '\0') /* ignore empty lines */
+ continue;
+
+ if (cp[strlen (cp) - 1] == '\n')
+ cp[strlen (cp) - 1] = '\0';
+
+ tmp = strsep (&cp, " \t=");
+ if (cp != NULL)
+ while (isspace ((int)*cp) || *cp == '=')
+ ++cp;
+
+ if (strcasecmp (tmp, "FAIL_DELAY") == 0)
+ {
+ retval = strdup (cp);
+ break;
+ }
+ }
+ fclose (fp);
+
+ free (buf);
+
+ return retval;
+}
+
+
/* --- authentication management functions (only) --- */
PAM_EXTERN
@@ -74,7 +157,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
int i, debug_flag = 0;
- long int delay = 0;
+ long int delay = -1;
/* step through arguments */
for (i = 0; i < argc; i++) {
@@ -86,6 +169,31 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
pam_syslog (pamh, LOG_ERR, "unknown option; %s", argv[i]);
}
+ if (delay == -1)
+ {
+ char *endptr;
+ char *val = search_key (LOGIN_DEFS);
+ const char *val_orig = val;
+
+ if (val == NULL)
+ return PAM_IGNORE;
+
+ errno = 0;
+ delay = strtol (val, &endptr, 10) & 0777;
+ if (((delay == 0) && (val_orig == endptr)) ||
+ ((delay == LONG_MIN || delay == LONG_MAX) && (errno == ERANGE)))
+ {
+ pam_syslog (pamh, LOG_ERR, "FAIL_DELAY=%s in %s not valid",
+ val, LOGIN_DEFS);
+ free (val);
+ return PAM_IGNORE;
+ }
+
+ free (val);
+ /* delay is in seconds, convert to microseconds. */
+ delay *= 1000000;
+ }
+
if (debug_flag)
pam_syslog (pamh, LOG_DEBUG, "setting fail delay to %ld", delay);