summaryrefslogtreecommitdiff
path: root/modules/pam_tally2/pam_tally2.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_tally2/pam_tally2.8')
-rw-r--r--modules/pam_tally2/pam_tally2.8242
1 files changed, 242 insertions, 0 deletions
diff --git a/modules/pam_tally2/pam_tally2.8 b/modules/pam_tally2/pam_tally2.8
new file mode 100644
index 00000000..920a90b0
--- /dev/null
+++ b/modules/pam_tally2/pam_tally2.8
@@ -0,0 +1,242 @@
+'\" t
+.\" Title: pam_tally2
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 04/01/2016
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_TALLY2" "8" "04/01/2016" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_tally2 \- The login counter (tallying) module
+.SH "SYNOPSIS"
+.HP \w'\fBpam_tally2\&.so\fR\ 'u
+\fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [serialize] [audit] [silent] [no_log_info] [debug]
+.HP \w'\fBpam_tally2\fR\ 'u
+\fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet]
+.SH "DESCRIPTION"
+.PP
+This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&.
+.PP
+pam_tally2 comes in two parts:
+\fBpam_tally2\&.so\fR
+and
+\fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&.
+\fBpam_tally2\fR
+is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display user counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&.
+.PP
+Normally, failed attempts to access
+\fIroot\fR
+will
+\fBnot\fR
+cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via
+\fBsu\fR
+or at the machine console (not telnet/rsh, etc), this is safe\&.
+.SH "OPTIONS"
+.PP
+GLOBAL OPTIONS
+.RS 4
+This can be used for
+\fIauth\fR
+and
+\fIaccount\fR
+module types\&.
+.PP
+\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR
+.RS 4
+If something weird happens (like unable to open the file), return with
+\fBPAM_SUCCESS\fR
+if
+\fBonerr=\fR\fB\fIsucceed\fR\fR
+is given, else with the corresponding PAM error code\&.
+.RE
+.PP
+\fBfile=\fR\fB\fI/path/to/counter\fR\fR
+.RS 4
+File where to keep counts\&. Default is
+/var/log/tallylog\&.
+.RE
+.PP
+\fBaudit\fR
+.RS 4
+Will log the user name into the system log if the user is not found\&.
+.RE
+.PP
+\fBsilent\fR
+.RS 4
+Don\*(Aqt print informative messages\&.
+.RE
+.PP
+\fBno_log_info\fR
+.RS 4
+Don\*(Aqt log informative messages via
+\fBsyslog\fR(3)\&.
+.RE
+.PP
+\fBdebug\fR
+.RS 4
+Always log tally count when it is incremented as a debug level message to the system log\&.
+.RE
+.RE
+.PP
+AUTH OPTIONS
+.RS 4
+Authentication phase first increments attempted login counter and checks if user should be denied access\&. If the user is authenticated and the login process continues on call to
+\fBpam_setcred\fR(3)
+it resets the attempts counter\&.
+.PP
+\fBdeny=\fR\fB\fIn\fR\fR
+.RS 4
+Deny access if tally for this user exceeds
+\fIn\fR\&.
+.RE
+.PP
+\fBlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+Always deny for
+\fIn\fR
+seconds after failed attempt\&.
+.RE
+.PP
+\fBunlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+Allow access after
+\fIn\fR
+seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&.
+.RE
+.PP
+\fBmagic_root\fR
+.RS 4
+If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like
+\fBsu\fR, otherwise this argument should be omitted\&.
+.RE
+.PP
+\fBeven_deny_root\fR
+.RS 4
+Root account can become unavailable\&.
+.RE
+.PP
+\fBroot_unlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+This option implies
+\fBeven_deny_root\fR
+option\&. Allow access after
+\fIn\fR
+seconds to root account after failed attempt\&. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&.
+.RE
+.PP
+\fBserialize\fR
+.RS 4
+Serialize access to the tally file using locks\&. This option might be used only for non\-multithreaded services because it depends on the fcntl locking of the tally file\&. Also it is a good idea to use this option only in such configurations where the time between auth phase and account or setcred phase is not dependent on the authenticating client\&. Otherwise the authenticating client will be able to prevent simultaneous authentications by the same user by simply artificially prolonging the time the file record lock is held\&.
+.RE
+.RE
+.PP
+ACCOUNT OPTIONS
+.RS 4
+Account phase resets attempts counter if the user is
+\fBnot\fR
+magic root\&. This phase can be used optionally for services which don\*(Aqt call
+\fBpam_setcred\fR(3)
+correctly or if the reset should be done regardless of the failure of the account phase of other modules\&.
+.PP
+\fBmagic_root\fR
+.RS 4
+If the module is invoked by a user with uid=0 the counter is not changed\&. The sysadmin should use this for user launched services, like
+\fBsu\fR, otherwise this argument should be omitted\&.
+.RE
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBaccount\fR
+module types are provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_AUTH_ERR
+.RS 4
+A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&.
+.RE
+.PP
+PAM_SUCCESS
+.RS 4
+Everything was successful\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+User not known\&.
+.RE
+.SH "NOTES"
+.PP
+pam_tally2 is not compatible with the old pam_tally faillog file format\&. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems\&.
+.PP
+There is no setuid wrapper for access to the data file such as when the
+\fBpam_tally2\&.so\fR
+module is called from xscreensaver\&. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (\fBEACCES\fR) the module returns
+\fBPAM_IGNORE\fR\&.
+.SH "EXAMPLES"
+.PP
+Add the following line to
+/etc/pam\&.d/login
+to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the
+\fBlogin\fR
+calls
+\fBpam_setcred\fR(3)
+correctly\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+auth required pam_securetty\&.so
+auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200
+auth required pam_env\&.so
+auth required pam_unix\&.so
+auth required pam_nologin\&.so
+account required pam_unix\&.so
+password required pam_unix\&.so
+session required pam_limits\&.so
+session required pam_unix\&.so
+session required pam_lastlog\&.so nowtmp
+session optional pam_mail\&.so standard
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+/var/log/tallylog
+.RS 4
+failure count logging file
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_tally2 was written by Tim Baverstock and Tomas Mraz\&.