diff options
Diffstat (limited to 'modules/pam_tally2')
-rw-r--r-- | modules/pam_tally2/Makefile.am | 40 | ||||
-rw-r--r-- | modules/pam_tally2/Makefile.in | 739 | ||||
-rw-r--r-- | modules/pam_tally2/README | 153 | ||||
-rw-r--r-- | modules/pam_tally2/README.xml | 46 | ||||
-rw-r--r-- | modules/pam_tally2/pam_tally2.8 | 402 | ||||
-rw-r--r-- | modules/pam_tally2/pam_tally2.8.xml | 449 | ||||
-rw-r--r-- | modules/pam_tally2/pam_tally2.c | 1057 | ||||
-rw-r--r-- | modules/pam_tally2/pam_tally2_app.c | 7 | ||||
-rw-r--r-- | modules/pam_tally2/tallylog.h | 52 | ||||
-rwxr-xr-x | modules/pam_tally2/tst-pam_tally2 | 2 |
10 files changed, 2947 insertions, 0 deletions
diff --git a/modules/pam_tally2/Makefile.am b/modules/pam_tally2/Makefile.am new file mode 100644 index 00000000..06cdf554 --- /dev/null +++ b/modules/pam_tally2/Makefile.am @@ -0,0 +1,40 @@ +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2008 Red Hat, Inc. +# + +CLEANFILES = *~ + +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2 + +man_MANS = pam_tally2.8 +XMLS = README.xml pam_tally2.8.xml + +TESTS = tst-pam_tally2 + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +noinst_HEADERS = tallylog.h + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + +pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module +pam_tally2_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +if HAVE_VERSIONING + pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +pam_tally2_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) + +securelib_LTLIBRARIES = pam_tally2.la +sbin_PROGRAMS = pam_tally2 + +pam_tally2_la_SOURCES = pam_tally2.c +pam_tally2_SOURCES = pam_tally2_app.c + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_tally2.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_tally2/Makefile.in b/modules/pam_tally2/Makefile.in new file mode 100644 index 00000000..dc99b9d5 --- /dev/null +++ b/modules/pam_tally2/Makefile.in @@ -0,0 +1,739 @@ +# Makefile.in generated by automake 1.10.2 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# Copyright (c) 2008 Red Hat, Inc. +# + + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = pam_tally2$(EXEEXT) +subdir = modules/pam_tally2 +DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/japhar_grep_cflags.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +am__DEPENDENCIES_1 = +pam_tally2_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_pam_tally2_la_OBJECTS = pam_tally2.lo +pam_tally2_la_OBJECTS = $(am_pam_tally2_la_OBJECTS) +pam_tally2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_tally2_la_LDFLAGS) $(LDFLAGS) -o $@ +sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(sbin_PROGRAMS) +am_pam_tally2_OBJECTS = pam_tally2_app.$(OBJEXT) +pam_tally2_OBJECTS = $(am_pam_tally2_OBJECTS) +pam_tally2_DEPENDENCIES = $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(pam_tally2_la_SOURCES) $(pam_tally2_SOURCES) +DIST_SOURCES = $(pam_tally2_la_SOURCES) $(pam_tally2_SOURCES) +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2 +man_MANS = pam_tally2.8 +XMLS = README.xml pam_tally2.8.xml +TESTS = tst-pam_tally2 +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +noinst_HEADERS = tallylog.h +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(am__append_1) +pam_tally2_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +pam_tally2_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) +securelib_LTLIBRARIES = pam_tally2.la +pam_tally2_la_SOURCES = pam_tally2.c +pam_tally2_SOURCES = pam_tally2_app.c +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_tally2/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_tally2/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_tally2.la: $(pam_tally2_la_OBJECTS) $(pam_tally2_la_DEPENDENCIES) + $(pam_tally2_la_LINK) -rpath $(securelibdir) $(pam_tally2_la_OBJECTS) $(pam_tally2_la_LIBADD) $(LIBS) +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ + rm -f "$(DESTDIR)$(sbindir)/$$f"; \ + done + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +pam_tally2$(EXEEXT): $(pam_tally2_OBJECTS) $(pam_tally2_DEPENDENCIES) + @rm -f pam_tally2$(EXEEXT) + $(LINK) $(pam_tally2_OBJECTS) $(pam_tally2_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally2.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally2_app.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $$i; then file=$$i; \ + else file=$(srcdir)/$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-sbinPROGRAMS \ + clean-securelibLTLIBRARIES ctags distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-sbinPROGRAMS install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man8 uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_tally2.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_tally2/README b/modules/pam_tally2/README new file mode 100644 index 00000000..8005474b --- /dev/null +++ b/modules/pam_tally2/README @@ -0,0 +1,153 @@ +pam_tally2 — The login counter (tallying) module + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +This module maintains a count of attempted accesses, can reset count on +success, can deny access if too many attempts fail. + +pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the +PAM module and the latter, a stand-alone program. pam_tally2 is an (optional) +application which can be used to interrogate and manipulate the counter file. +It can display users' counts, set individual counts, or clear all counts. +Setting artificially high counts may be useful for blocking users without +changing their passwords. For example, one might find it useful to clear all +counts every midnight from a cron job. + +Normally, failed attempts to access root will not cause the root account to +become blocked, to prevent denial-of-service: if your users aren't given shell +accounts and root may only login via su or at the machine console (not telnet/ +rsh, etc), this is safe. + +OPTIONS + +GLOBAL OPTIONS + + This can be used for auth and account module types. + + onerr=[fail|succeed] + + If something weird happens (like unable to open the file), return with + PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM + error code. + + file=/path/to/counter + + File where to keep counts. Default is /var/log/tallylog. + + audit + + Will log the user name into the system log if the user is not found. + + silent + + Don't print informative messages. + + no_log_info + + Don't log informative messages via syslog(3). + +AUTH OPTIONS + + Authentication phase first increments attempted login counter and checks if + user should be denied access. If the user is authenticated and the login + process continues on call to pam_setcred(3) it resets the attempts counter. + + deny=n + + Deny access if tally for this user exceeds n. + + lock_time=n + + Always deny for n seconds after failed attempt. + + unlock_time=n + + Allow access after n seconds after failed attempt. If this option is + used the user will be locked out for the specified amount of time after + he exceeded his maximum allowed attempts. Otherwise the account is + locked until the lock is removed by a manual intervention of the system + administrator. + + magic_root + + If the module is invoked by a user with uid=0 the counter is not + incremented. The sysadmin should use this for user launched services, + like su, otherwise this argument should be omitted. + + no_lock_time + + Do not use the .fail_locktime field in /var/log/faillog for this user. + + even_deny_root + + Root account can become unavailable. + + root_unlock_time=n + + This option implies even_deny_root option. Allow access after n seconds + to root account after failed attempt. If this option is used the root + user will be locked out for the specified amount of time after he + exceeded his maximum allowed attempts. + + serialize + + Serialize access to the tally file using locks. This option might be + used only for non-multithreaded services because it depends on the + fcntl locking of the tally file. Also it is a good idea to use this + option only in such configurations where the time between auth phase + and account or setcred phase is not dependent on the authenticating + client. Otherwise the authenticating client will be able to prevent + simultaneous authentications by the same user by simply artificially + prolonging the time the file record lock is held. + +ACCOUNT OPTIONS + + Account phase resets attempts counter if the user is not magic root. This + phase can be used optionally for services which don't call pam_setcred(3) + correctly or if the reset should be done regardless of the failure of the + account phase of other modules. + + magic_root + + If the module is invoked by a user with uid=0 the counter is not + changed. The sysadmin should use this for user launched services, like + su, otherwise this argument should be omitted. + +NOTES + +pam_tally2 is not compatible with the old pam_tally faillog file format. This +is caused by requirement of compatibility of the tallylog file format between +32bit and 64bit architectures on multiarch systems. + +There is no setuid wrapper for access to the data file such as when the +pam_tally2.so module is called from xscreensaver. As this would make it +impossible to share PAM configuration with such services the following +workaround is used: If the data file cannot be opened because of insufficient +permissions (EACCES) the module returns PAM_IGNORE. + +EXAMPLES + +Add the following line to /etc/pam.d/login to lock the account after 4 failed +logins. Root account will be locked as well. The accounts will be automatically +unlocked after 20 minutes. The module does not have to be called in the account +phase because the login calls pam_setcred(3) correctly. + +auth required pam_securetty.so +auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + + +AUTHOR + +pam_tally2 was written by Tim Baverstock and Tomas Mraz. + diff --git a/modules/pam_tally2/README.xml b/modules/pam_tally2/README.xml new file mode 100644 index 00000000..aa470570 --- /dev/null +++ b/modules/pam_tally2/README.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_tally2.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally2.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tally2-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-notes"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_tally2/pam_tally2.8 b/modules/pam_tally2/pam_tally2.8 new file mode 100644 index 00000000..4255e7f1 --- /dev/null +++ b/modules/pam_tally2/pam_tally2.8 @@ -0,0 +1,402 @@ +.\" Title: pam_tally2 +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> +.\" Date: 06/16/2009 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TALLY2" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" toupper - uppercase a string (locale-aware) +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de toupper +.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ +\\$* +.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH-xref - format a cross-reference to an SH section +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de SH-xref +.ie n \{\ +.\} +.toupper \\$* +.el \{\ +\\$* +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH - level-one heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SH +.\" put an extra blank line of space above the head in non-TTY output +.if t \{\ +.sp 1 +.\} +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[an-margin]u +.ti 0 +.HTML-TAG ".NH \\n[an-level]" +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +\." make the size of the head bigger +.ps +3 +.ft B +.ne (2v + 1u) +.ie n \{\ +.\" if n (TTY output), use uppercase +.toupper \\$* +.\} +.el \{\ +.nr an-break-flag 0 +.\" if not n (not TTY), use normal case (not uppercase) +\\$1 +.in \\n[an-margin]u +.ti 0 +.\" if not n (not TTY), put a border/line under subheading +.sp -.6 +\l'\n(.lu' +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SS - level-two heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SS +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[IN]u +.ti \\n[SN]u +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.ps \\n[PS-SS]u +\." make the size of the head bigger +.ps +2 +.ft B +.ne (2v + 1u) +.if \\n[.$] \&\\$* +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +pam_tally2 \- The login counter (tallying) module +.SH "Synopsis" +.fam C +.HP \w'\fBpam_tally2\&.so\fR\ 'u +\fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [serialize] [audit] [silent] [no_log_info] +.fam +.fam C +.HP \w'\fBpam_tally2\fR\ 'u +\fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] +.fam +.SH "DESCRIPTION" +.PP +This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. +.PP +pam_tally2 comes in two parts: +\fBpam_tally2\&.so\fR +and +\fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. +\fBpam_tally2\fR +is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. +.PP +Normally, failed attempts to access +\fIroot\fR +will +\fBnot\fR +cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via +\fBsu\fR +or at the machine console (not telnet/rsh, etc), this is safe\&. +.SH "OPTIONS" +.PP +GLOBAL OPTIONS +.RS 4 +This can be used for +\fIauth\fR +and +\fIaccount\fR +module types\&. +.PP +\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR +.RS 4 +If something weird happens (like unable to open the file), return with +\fBPAM_SUCCESS\fR +if +\fBonerr=\fR\fB\fIsucceed\fR\fR +is given, else with the corresponding PAM error code\&. +.RE +.PP +\fBfile=\fR\fB\fI/path/to/counter\fR\fR +.RS 4 +File where to keep counts\&. Default is +\FC/var/log/tallylog\F[]\&. +.RE +.PP +\fBaudit\fR +.RS 4 +Will log the user name into the system log if the user is not found\&. +.RE +.PP +\fBsilent\fR +.RS 4 +Don\'t print informative messages\&. +.RE +.PP +\fBno_log_info\fR +.RS 4 +Don\'t log informative messages via +\fBsyslog\fR(3)\&. +.RE +.RE +.PP +AUTH OPTIONS +.RS 4 +Authentication phase first increments attempted login counter and checks if user should be denied access\&. If the user is authenticated and the login process continues on call to +\fBpam_setcred\fR(3) +it resets the attempts counter\&. +.PP +\fBdeny=\fR\fB\fIn\fR\fR +.RS 4 +Deny access if tally for this user exceeds +\fIn\fR\&. +.RE +.PP +\fBlock_time=\fR\fB\fIn\fR\fR +.RS 4 +Always deny for +\fIn\fR +seconds after failed attempt\&. +.RE +.PP +\fBunlock_time=\fR\fB\fIn\fR\fR +.RS 4 +Allow access after +\fIn\fR +seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. +.RE +.PP +\fBmagic_root\fR +.RS 4 +If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted\&. +.RE +.PP +\fBno_lock_time\fR +.RS 4 +Do not use the \&.fail_locktime field in +\FC/var/log/faillog\F[] +for this user\&. +.RE +.PP +\fBeven_deny_root\fR +.RS 4 +Root account can become unavailable\&. +.RE +.PP +\fBroot_unlock_time=\fR\fB\fIn\fR\fR +.RS 4 +This option implies +\fBeven_deny_root\fR +option\&. Allow access after +\fIn\fR +seconds to root account after failed attempt\&. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. +.RE +.PP +\fBserialize\fR +.RS 4 +Serialize access to the tally file using locks\&. This option might be used only for non\-multithreaded services because it depends on the fcntl locking of the tally file\&. Also it is a good idea to use this option only in such configurations where the time between auth phase and account or setcred phase is not dependent on the authenticating client\&. Otherwise the authenticating client will be able to prevent simultaneous authentications by the same user by simply artificially prolonging the time the file record lock is held\&. +.RE +.RE +.PP +ACCOUNT OPTIONS +.RS 4 +Account phase resets attempts counter if the user is +\fBnot\fR +magic root\&. This phase can be used optionally for services which don\'t call +\fBpam_setcred\fR(3) +correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. +.PP +\fBmagic_root\fR +.RS 4 +If the module is invoked by a user with uid=0 the counter is not changed\&. The sysadmin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted\&. +.RE +.RE +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +module types are provided\&. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Everything was successful\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known\&. +.RE +.SH "NOTES" +.PP +pam_tally2 is not compatible with the old pam_tally faillog file format\&. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems\&. +.PP +There is no setuid wrapper for access to the data file such as when the +\fBpam_tally2\&.so\fR +module is called from xscreensaver\&. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (\fBEACCES\fR) the module returns +\fBPAM_IGNORE\fR\&. +.SH "EXAMPLES" +.PP +Add the following line to +\FC/etc/pam\&.d/login\F[] +to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the +\fBlogin\fR +calls +\fBpam_setcred\fR(3) +correctly\&. +.sp +.if n \{\ +.RS 4 +.\} +.fam C +.ps -1 +.nf +.if t \{\ +.sp -1 +.\} +.BB lightgray adjust-for-leading-newline +.sp -1 + +auth required pam_securetty\&.so +auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200 +auth required pam_env\&.so +auth required pam_unix\&.so +auth required pam_nologin\&.so +account required pam_unix\&.so +password required pam_unix\&.so +session required pam_limits\&.so +session required pam_unix\&.so +session required pam_lastlog\&.so nowtmp +session optional pam_mail\&.so standard + +.EB lightgray adjust-for-leading-newline +.if t \{\ +.sp 1 +.\} +.fi +.fam +.ps +1 +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +\FC/var/log/tallylog\F[] +.RS 4 +failure count logging file +.RE +.SH "SEE ALSO" +.PP + +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_tally2 was written by Tim Baverstock and Tomas Mraz\&. diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml new file mode 100644 index 00000000..4ad529fd --- /dev/null +++ b/modules/pam_tally2/pam_tally2.8.xml @@ -0,0 +1,449 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_tally2"> + + <refmeta> + <refentrytitle>pam_tally2</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_tally2-name"> + <refname>pam_tally2</refname> + <refpurpose>The login counter (tallying) module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_tally2-cmdsynopsis1"> + <command>pam_tally2.so</command> + <arg choice="opt"> + file=<replaceable>/path/to/counter</replaceable> + </arg> + <arg choice="opt"> + onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>] + </arg> + <arg choice="opt"> + magic_root + </arg> + <arg choice="opt"> + even_deny_root + </arg> + <arg choice="opt"> + deny=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + lock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + unlock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + root_unlock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + serialize + </arg> + <arg choice="opt"> + audit + </arg> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + no_log_info + </arg> + </cmdsynopsis> + <cmdsynopsis id="pam_tally2-cmdsynopsis2"> + <command>pam_tally2</command> + <arg choice="opt"> + --file <replaceable>/path/to/counter</replaceable> + </arg> + <arg choice="opt"> + --user <replaceable>username</replaceable> + </arg> + <arg choice="opt"> + --reset[=<replaceable>n</replaceable>] + </arg> + <arg choice="opt"> + --quiet + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_tally2-description"> + + <title>DESCRIPTION</title> + + <para> + This module maintains a count of attempted accesses, can + reset count on success, can deny access if too many attempts fail. + </para> + <para> + pam_tally2 comes in two parts: + <emphasis remap='B'>pam_tally2.so</emphasis> and + <command>pam_tally2</command>. The former is the PAM module and + the latter, a stand-alone program. <command>pam_tally2</command> + is an (optional) application which can be used to interrogate and + manipulate the counter file. It can display users' counts, set + individual counts, or clear all counts. Setting artificially high + counts may be useful for blocking users without changing their + passwords. For example, one might find it useful to clear all counts + every midnight from a cron job. + </para> + <para> + Normally, failed attempts to access <emphasis>root</emphasis> will + <emphasis remap='B'>not</emphasis> cause the root account to become + blocked, to prevent denial-of-service: if your users aren't given + shell accounts and root may only login via <command>su</command> or + at the machine console (not telnet/rsh, etc), this is safe. + </para> + </refsect1> + + <refsect1 id="pam_tally2-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + GLOBAL OPTIONS + </term> + <listitem> + <para> + This can be used for <emphasis>auth</emphasis> and + <emphasis>account</emphasis> module types. + </para> + <variablelist> + <varlistentry> + <term> + <option>onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]</option> + </term> + <listitem> + <para> + If something weird happens (like unable to open the file), + return with <errorcode>PAM_SUCCESS</errorcode> if + <option>onerr=<replaceable>succeed</replaceable></option> + is given, else with the corresponding PAM error code. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>file=<replaceable>/path/to/counter</replaceable></option> + </term> + <listitem> + <para> + File where to keep counts. Default is + <filename>/var/log/tallylog</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>audit</option> + </term> + <listitem> + <para> + Will log the user name into the system log if the user is not found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_log_info</option> + </term> + <listitem> + <para> + Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + AUTH OPTIONS + </term> + <listitem> + <para> + Authentication phase first increments attempted login counter and + checks if user should be denied access. If the user is authenticated + and the login process continues on call to <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> it resets the attempts counter. + </para> + <variablelist> + <varlistentry> + <term> + <option>deny=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Deny access if tally for this user exceeds + <replaceable>n</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>lock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Always deny for <replaceable>n</replaceable> seconds + after failed attempt. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>unlock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Allow access after <replaceable>n</replaceable> seconds + after failed attempt. If this option is used the user will + be locked out for the specified amount of time after he + exceeded his maximum allowed attempts. Otherwise the + account is locked until the lock is removed by a manual + intervention of the system administrator. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>magic_root</option> + </term> + <listitem> + <para> + If the module is invoked by a user with uid=0 the + counter is not incremented. The sysadmin should use this + for user launched services, like <command>su</command>, + otherwise this argument should be omitted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_lock_time</option> + </term> + <listitem> + <para> + Do not use the .fail_locktime field in + <filename>/var/log/faillog</filename> for this user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>even_deny_root</option> + </term> + <listitem> + <para> + Root account can become unavailable. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>root_unlock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + This option implies <option>even_deny_root</option> option. + Allow access after <replaceable>n</replaceable> seconds + to root account after failed attempt. If this option is used + the root user will be locked out for the specified amount of + time after he exceeded his maximum allowed attempts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>serialize</option> + </term> + <listitem> + <para> + Serialize access to the tally file using locks. This option might + be used only for non-multithreaded services because it depends on + the fcntl locking of the tally file. Also it is a good idea to use + this option only in such configurations where the time between auth + phase and account or setcred phase is not dependent on the + authenticating client. Otherwise the authenticating client will be + able to prevent simultaneous authentications by the same user by + simply artificially prolonging the time the file record lock is held. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + ACCOUNT OPTIONS + </term> + <listitem> + <para> + Account phase resets attempts counter if the user is + <emphasis remap='B'>not</emphasis> magic root. + This phase can be used optionally for services which don't call + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> correctly or if the reset should be done regardless + of the failure of the account phase of other modules. + </para> + <variablelist> + <varlistentry> + <term> + <option>magic_root</option> + </term> + <listitem> + <para> + If the module is invoked by a user with uid=0 the + counter is not changed. The sysadmin should use this + for user launched services, like <command>su</command>, + otherwise this argument should be omitted. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_tally2-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <option>auth</option> and <option>account</option> + module types are provided. + </para> + </refsect1> + + <refsect1 id='pam_tally2-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + A invalid option was given, the module was not able + to retrieve the user name, no valid counter file + was found, or too many failed logins. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_tally2-notes'> + <title>NOTES</title> + <para> + pam_tally2 is not compatible with the old pam_tally faillog file format. + This is caused by requirement of compatibility of the tallylog file + format between 32bit and 64bit architectures on multiarch systems. + </para> + <para> + There is no setuid wrapper for access to the data file such as when the + <emphasis remap='B'>pam_tally2.so</emphasis> module is called from + xscreensaver. As this would make it impossible to share PAM configuration + with such services the following workaround is used: If the data file + cannot be opened because of insufficient permissions + (<errorcode>EACCES</errorcode>) the module returns + <errorcode>PAM_IGNORE</errorcode>. + </para> + </refsect1> + + <refsect1 id='pam_tally2-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + lock the account after 4 failed logins. Root account will be locked + as well. The accounts will be automatically unlocked after 20 minutes. + The module does not have to be called in the account phase because the + <command>login</command> calls <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> correctly. + </para> + <programlisting> +auth required pam_securetty.so +auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + </programlisting> + </refsect1> + + <refsect1 id="pam_tally2-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/log/tallylog</filename></term> + <listitem> + <para>failure count logging file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_tally2-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_tally2-author'> + <title>AUTHOR</title> + <para> + pam_tally2 was written by Tim Baverstock and Tomas Mraz. + </para> + </refsect1> + +</refentry> + diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c new file mode 100644 index 00000000..3490aa15 --- /dev/null +++ b/modules/pam_tally2/pam_tally2.c @@ -0,0 +1,1057 @@ +/* + * pam_tally2.c + * + */ + + +/* By Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd. + * 5 March 1997 + * + * Stuff stolen from pam_rootok and pam_listfile + * + * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005, 26 January 2006 + * Audit option added for Tomas patch by Sebastien Tricaud <toady@gscore.org> 13 January 2005 + * Portions Copyright 2006, Red Hat, Inc. + * Portions Copyright 1989 - 1993, Julianne Frances Haugh + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Julianne F. Haugh nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#if defined(MAIN) && defined(MEMORY_DEBUG) +# undef exit +#endif /* defined(MAIN) && defined(MEMORY_DEBUG) */ + +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <stdarg.h> +#include <stdlib.h> +#include <syslog.h> +#include <pwd.h> +#include <time.h> +#include <stdint.h> +#include <errno.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif + +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/param.h> +#include <fcntl.h> +#include <unistd.h> +#include <signal.h> +#include "tallylog.h" + +#ifndef TRUE +#define TRUE 1L +#define FALSE 0L +#endif + +#ifndef HAVE_FSEEKO +#define fseeko fseek +#endif + +/* + * here, we make a definition for the externally accessible function + * in this file (this definition is required for static a module + * but strongly encouraged generally) it is used to instruct the + * modules include file to define the function prototypes. + */ + +#ifndef MAIN +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +/* #define PAM_SM_SESSION */ +/* #define PAM_SM_PASSWORD */ + +#include <security/pam_ext.h> +#endif +#include <security/pam_modutil.h> +#include <security/pam_modules.h> + +/*---------------------------------------------------------------------*/ + +#define DEFAULT_LOGFILE "/var/log/tallylog" +#define MODULE_NAME "pam_tally2" + +#define tally_t uint16_t +#define TALLY_HI ((tally_t)~0L) + +struct tally_options { + const char *filename; + tally_t deny; + long lock_time; + long unlock_time; + long root_unlock_time; + unsigned int ctrl; +}; + +#define PHASE_UNKNOWN 0 +#define PHASE_AUTH 1 +#define PHASE_ACCOUNT 2 +#define PHASE_SESSION 3 + +#define OPT_MAGIC_ROOT 01 +#define OPT_FAIL_ON_ERROR 02 +#define OPT_DENY_ROOT 04 +#define OPT_QUIET 040 +#define OPT_AUDIT 0100 +#define OPT_NOLOGNOTICE 0400 +#define OPT_SERIALIZE 01000 + +#define MAX_LOCK_WAITING_TIME 10 + +/*---------------------------------------------------------------------*/ + +/* some syslogging */ + +#ifdef MAIN +#define pam_syslog tally_log +static void +tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED, + const char *fmt, ...) +{ + va_list args; + + va_start(args, fmt); + fprintf(stderr, "%s: ", MODULE_NAME); + vfprintf(stderr, fmt, args); + fprintf(stderr,"\n"); + va_end(args); +} + +#define pam_modutil_getpwnam(pamh, user) getpwnam(user) +#endif + +/*---------------------------------------------------------------------*/ + +/* --- Support function: parse arguments --- */ + +#ifndef MAIN + +static void +log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv) +{ + if ( phase != PHASE_AUTH ) { + pam_syslog(pamh, LOG_ERR, + "option %s allowed in auth phase only", argv); + } +} + +static int +tally_parse_args(pam_handle_t *pamh, struct tally_options *opts, + int phase, int argc, const char **argv) +{ + memset(opts, 0, sizeof(*opts)); + opts->filename = DEFAULT_LOGFILE; + opts->ctrl = OPT_FAIL_ON_ERROR; + opts->root_unlock_time = -1; + + for ( ; argc-- > 0; ++argv ) { + + if ( ! strncmp( *argv, "file=", 5 ) ) { + const char *from = *argv + 5; + if ( *from!='/' ) { + pam_syslog(pamh, LOG_ERR, + "filename not /rooted; %s", *argv); + return PAM_AUTH_ERR; + } + opts->filename = from; + } + else if ( ! strcmp( *argv, "onerr=fail" ) ) { + opts->ctrl |= OPT_FAIL_ON_ERROR; + } + else if ( ! strcmp( *argv, "onerr=succeed" ) ) { + opts->ctrl &= ~OPT_FAIL_ON_ERROR; + } + else if ( ! strcmp( *argv, "magic_root" ) ) { + opts->ctrl |= OPT_MAGIC_ROOT; + } + else if ( ! strcmp( *argv, "serialize" ) ) { + opts->ctrl |= OPT_SERIALIZE; + } + else if ( ! strcmp( *argv, "even_deny_root_account" ) || + ! strcmp( *argv, "even_deny_root" ) ) { + log_phase_no_auth(pamh, phase, *argv); + opts->ctrl |= OPT_DENY_ROOT; + } + else if ( ! strncmp( *argv, "deny=", 5 ) ) { + log_phase_no_auth(pamh, phase, *argv); + if ( sscanf((*argv)+5,"%hu",&opts->deny) != 1 ) { + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); + return PAM_AUTH_ERR; + } + } + else if ( ! strncmp( *argv, "lock_time=", 10 ) ) { + log_phase_no_auth(pamh, phase, *argv); + if ( sscanf((*argv)+10,"%ld",&opts->lock_time) != 1 ) { + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); + return PAM_AUTH_ERR; + } + } + else if ( ! strncmp( *argv, "unlock_time=", 12 ) ) { + log_phase_no_auth(pamh, phase, *argv); + if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) { + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); + return PAM_AUTH_ERR; + } + } + else if ( ! strncmp( *argv, "root_unlock_time=", 17 ) ) { + log_phase_no_auth(pamh, phase, *argv); + if ( sscanf((*argv)+17,"%ld",&opts->root_unlock_time) != 1 ) { + pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv); + return PAM_AUTH_ERR; + } + opts->ctrl |= OPT_DENY_ROOT; /* even_deny_root implied */ + } + else if ( ! strcmp( *argv, "quiet" ) || + ! strcmp ( *argv, "silent")) { + opts->ctrl |= OPT_QUIET; + } + else if ( ! strcmp ( *argv, "no_log_info") ) { + opts->ctrl |= OPT_NOLOGNOTICE; + } + else if ( ! strcmp ( *argv, "audit") ) { + opts->ctrl |= OPT_AUDIT; + } + else { + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); + } + } + + if (opts->root_unlock_time == -1) + opts->root_unlock_time = opts->unlock_time; + + return PAM_SUCCESS; +} + +#endif /* #ifndef MAIN */ + +/*---------------------------------------------------------------------*/ + +/* --- Support function: get uid (and optionally username) from PAM or + cline_user --- */ + +#ifdef MAIN +static char *cline_user=0; /* cline_user is used in the administration prog */ +#endif + +static int +pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) +{ + const char *user = NULL; + struct passwd *pw; + +#ifdef MAIN + user = cline_user; +#else + if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) { + user = NULL; + } +#endif + + if ( !user || !*user ) { + pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?"); + return PAM_AUTH_ERR; + } + + if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) { + opts->ctrl & OPT_AUDIT ? + pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) : + pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user"); + return PAM_USER_UNKNOWN; + } + + if ( uid ) *uid = pw->pw_uid; + if ( userp ) *userp = user; + return PAM_SUCCESS; +} + +/*---------------------------------------------------------------------*/ + +/* --- Support functions: set/get tally data --- */ + +#ifndef MAIN + +struct tally_data { + time_t time; + int tfile; +}; + +static void +_cleanup(pam_handle_t *pamh UNUSED, void *void_data, int error_status UNUSED) +{ + struct tally_data *data = void_data; + if (data->tfile != -1) + close(data->tfile); + free(data); +} + +static void +tally_set_data( pam_handle_t *pamh, time_t oldtime, int tfile ) +{ + struct tally_data *data; + + if ( (data=malloc(sizeof(*data))) != NULL ) { + data->time = oldtime; + data->tfile = tfile; + pam_set_data(pamh, MODULE_NAME, (void *)data, _cleanup); + } +} + +static int +tally_get_data( pam_handle_t *pamh, time_t *oldtime, int *tfile ) +{ + int rv; + const void *void_data; + const struct tally_data *data; + + rv = pam_get_data(pamh, MODULE_NAME, &void_data); + if ( rv == PAM_SUCCESS && void_data != NULL && oldtime != NULL ) { + data = void_data; + *oldtime = data->time; + *tfile = data->tfile; + } + else { + rv = -1; + *oldtime = 0; + } + return rv; +} +#endif /* #ifndef MAIN */ + +/*---------------------------------------------------------------------*/ + +/* --- Support function: open/create tallyfile and return tally for uid --- */ + +/* If on entry tallyfile doesn't exist, creation is attempted. */ + +static void +alarm_handler(int sig UNUSED) +{ /* we just need to ignore it */ +} + +static int +get_tally(pam_handle_t *pamh, uid_t uid, const char *filename, + int *tfile, struct tallylog *tally, unsigned int ctrl) +{ + struct stat fileinfo; + int lstat_ret; + void *void_tally = tally; + int preopened = 0; + + if (*tfile != -1) { + preopened = 1; + goto skip_open; + } + + lstat_ret = lstat(filename, &fileinfo); + if (lstat_ret) { + *tfile=open(filename, O_APPEND|O_CREAT, 0700); + /* Create file, or append-open in pathological case. */ + if (*tfile == -1) { +#ifndef MAIN + if (errno == EACCES) { + return PAM_IGNORE; /* called with insufficient access rights */ + } +#endif + pam_syslog(pamh, LOG_ALERT, "Couldn't create %s: %m", filename); + return PAM_AUTH_ERR; + } + lstat_ret = fstat(*tfile, &fileinfo); + close(*tfile); + } + + *tfile = -1; + + if ( lstat_ret ) { + pam_syslog(pamh, LOG_ALERT, "Couldn't stat %s", filename); + return PAM_AUTH_ERR; + } + + if ((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) { + /* If the file is world writable or is not a + normal file, return error */ + pam_syslog(pamh, LOG_ALERT, + "%s is either world writable or not a normal file", + filename); + return PAM_AUTH_ERR; + } + + if ((*tfile = open(filename, O_RDWR)) == -1) { +#ifndef MAIN + if (errno == EACCES) /* called with insufficient access rights */ + return PAM_IGNORE; +#endif + pam_syslog(pamh, LOG_ALERT, "Error opening %s for update: %m", filename); + + return PAM_AUTH_ERR; + } + +skip_open: + if (lseek(*tfile, (off_t)uid*(off_t)sizeof(*tally), SEEK_SET) == (off_t)-1) { + pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename); + if (!preopened) { + close(*tfile); + *tfile = -1; + } + return PAM_AUTH_ERR; + } + + if (!preopened && (ctrl & OPT_SERIALIZE)) { + /* this code is not thread safe as it uses fcntl locks and alarm() + so never use serialize with multithreaded services */ + struct sigaction newsa, oldsa; + unsigned int oldalarm; + int rv; + + memset(&newsa, '\0', sizeof(newsa)); + newsa.sa_handler = alarm_handler; + sigaction(SIGALRM, &newsa, &oldsa); + oldalarm = alarm(MAX_LOCK_WAITING_TIME); + + rv = lockf(*tfile, F_LOCK, sizeof(*tally)); + /* lock failure is not fatal, we attempt to read the tally anyway */ + + /* reinstate the eventual old alarm handler */ + if (rv == -1 && errno == EINTR) { + if (oldalarm > MAX_LOCK_WAITING_TIME) { + oldalarm -= MAX_LOCK_WAITING_TIME; + } else if (oldalarm > 0) { + oldalarm = 1; + } + } + sigaction(SIGALRM, &oldsa, NULL); + alarm(oldalarm); + } + + if (fileinfo.st_size < (off_t)(uid+1)*(off_t)sizeof(*tally)) { + memset(tally, 0, sizeof(*tally)); + } else if (pam_modutil_read(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) { + memset(tally, 0, sizeof(*tally)); + /* Shouldn't happen */ + } + + tally->fail_line[sizeof(tally->fail_line)-1] = '\0'; + + return PAM_SUCCESS; +} + +/*---------------------------------------------------------------------*/ + +/* --- Support function: update tallyfile with tally!=TALLY_HI --- */ + +static int +set_tally(pam_handle_t *pamh, uid_t uid, + const char *filename, int *tfile, struct tallylog *tally) +{ + void *void_tally = tally; + if (tally->fail_cnt != TALLY_HI) { + if (lseek(*tfile, (off_t)uid * sizeof(*tally), SEEK_SET) == (off_t)-1) { + pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename); + return PAM_AUTH_ERR; + } + if (pam_modutil_write(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) { + pam_syslog(pamh, LOG_ALERT, "update (write) failed for %s: %m", filename); + return PAM_AUTH_ERR; + } + } + + if (fsync(*tfile)) { + pam_syslog(pamh, LOG_ALERT, "update (fsync) failed for %s: %m", filename); + return PAM_AUTH_ERR; + } + return PAM_SUCCESS; +} + +/*---------------------------------------------------------------------*/ + +/* --- PAM bits --- */ + +#ifndef MAIN + +#define RETURN_ERROR(i) return ((opts->ctrl & OPT_FAIL_ON_ERROR)?(i):(PAM_SUCCESS)) + +/*---------------------------------------------------------------------*/ + +static int +tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid, + const char *user, struct tally_options *opts, + struct tallylog *tally) +{ + int rv = PAM_SUCCESS; +#ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd = -1; +#endif + + if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { + return PAM_SUCCESS; + } + /* magic_root skips tally check */ +#ifdef HAVE_LIBAUDIT + audit_fd = audit_open(); + /* If there is an error & audit support is in the kernel report error */ + if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; +#endif + if (opts->deny != 0 && /* deny==0 means no deny */ + tally->fail_cnt > opts->deny && /* tally>deny means exceeded */ + ((opts->ctrl & OPT_DENY_ROOT) || uid)) { /* even_deny stops uid check */ +#ifdef HAVE_LIBAUDIT + if (tally->fail_cnt == opts->deny+1) { + /* First say that max number was hit. */ + snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + } +#endif + if (uid) { + /* Unlock time check */ + if (opts->unlock_time && oldtime) { + if (opts->unlock_time + oldtime <= time(NULL)) { + /* ignore deny check after unlock_time elapsed */ +#ifdef HAVE_LIBAUDIT + snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + NULL, NULL, NULL, 1); +#endif + rv = PAM_SUCCESS; + goto cleanup; + } + } + } else { + /* Root unlock time check */ + if (opts->root_unlock_time && oldtime) { + if (opts->root_unlock_time + oldtime <= time(NULL)) { + /* ignore deny check after unlock_time elapsed */ +#ifdef HAVE_LIBAUDIT + snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + NULL, NULL, NULL, 1); +#endif + rv = PAM_SUCCESS; + goto cleanup; + } + } + } + +#ifdef HAVE_LIBAUDIT + if (tally->fail_cnt == opts->deny+1) { + /* First say that max number was hit. */ + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, + NULL, NULL, NULL, 1); + } +#endif + + if (!(opts->ctrl & OPT_QUIET)) { + pam_info(pamh, _("Account locked due to %u failed logins"), + (unsigned int)tally->fail_cnt); + } + if (!(opts->ctrl & OPT_NOLOGNOTICE)) { + pam_syslog(pamh, LOG_NOTICE, + "user %s (%lu) tally %hu, deny %hu", + user, (unsigned long)uid, tally->fail_cnt, opts->deny); + } + rv = PAM_AUTH_ERR; /* Only unconditional failure */ + goto cleanup; + } + + /* Lock time check */ + if (opts->lock_time && oldtime) { + if (opts->lock_time + oldtime > time(NULL)) { + /* don't increase fail_cnt or update fail_time when + lock_time applies */ + tally->fail_cnt = oldcnt; + tally->fail_time = oldtime; + + if (!(opts->ctrl & OPT_QUIET)) { + pam_info(pamh, _("Account temporary locked (%ld seconds left)"), + oldtime+opts->lock_time-time(NULL)); + } + if (!(opts->ctrl & OPT_NOLOGNOTICE)) { + pam_syslog(pamh, LOG_NOTICE, + "user %s (%lu) has time limit [%lds left]" + " since last failure.", + user, (unsigned long)uid, + oldtime+opts->lock_time-time(NULL)); + } + rv = PAM_AUTH_ERR; + goto cleanup; + } + } + +cleanup: +#ifdef HAVE_LIBAUDIT + if (audit_fd != -1) { + close(audit_fd); + } +#endif + return rv; +} + +/* --- tally bump function: bump tally for uid by (signed) inc --- */ + +static int +tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh, + uid_t uid, const char *user, struct tally_options *opts, int *tfile) +{ + struct tallylog tally; + tally_t oldcnt; + const void *remote_host = NULL; + int i, rv; + + tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */ + + i = get_tally(pamh, uid, opts->filename, tfile, &tally, opts->ctrl); + if (i != PAM_SUCCESS) { + if (*tfile != -1) { + close(*tfile); + *tfile = -1; + } + RETURN_ERROR(i); + } + + /* to remember old fail time (for locktime) */ + if (oldtime) { + *oldtime = (time_t)tally.fail_time; + } + + tally.fail_time = time(NULL); + + (void) pam_get_item(pamh, PAM_RHOST, &remote_host); + if (!remote_host) { + (void) pam_get_item(pamh, PAM_TTY, &remote_host); + if (!remote_host) { + remote_host = "unknown"; + } + } + + strncpy(tally.fail_line, remote_host, + sizeof(tally.fail_line)-1); + tally.fail_line[sizeof(tally.fail_line)-1] = 0; + + oldcnt = tally.fail_cnt; + + if (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) { + /* magic_root doesn't change tally */ + tally.fail_cnt += inc; + + if (tally.fail_cnt == TALLY_HI) { /* Overflow *and* underflow. :) */ + tally.fail_cnt -= inc; + pam_syslog(pamh, LOG_ALERT, "Tally %sflowed for user %s", + (inc<0)?"under":"over",user); + } + } + + rv = tally_check(oldcnt, *oldtime, pamh, uid, user, opts, &tally); + + i = set_tally(pamh, uid, opts->filename, tfile, &tally); + if (i != PAM_SUCCESS) { + if (*tfile != -1) { + close(*tfile); + *tfile = -1; + } + if (rv == PAM_SUCCESS) + RETURN_ERROR( i ); + /* fallthrough */ + } else if (!(opts->ctrl & OPT_SERIALIZE)) { + close(*tfile); + *tfile = -1; + } + + return rv; +} + +static int +tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts, int old_tfile) +{ + struct tallylog tally; + int tfile = old_tfile; + int i; + + /* resets only if not magic root */ + + if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) { + return PAM_SUCCESS; + } + + tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */ + + i=get_tally(pamh, uid, opts->filename, &tfile, &tally, opts->ctrl); + if (i != PAM_SUCCESS) { + if (tfile != old_tfile) /* the descriptor is not owned by pam data */ + close(tfile); + RETURN_ERROR(i); + } + + memset(&tally, 0, sizeof(tally)); + + i=set_tally(pamh, uid, opts->filename, &tfile, &tally); + if (i != PAM_SUCCESS) { + if (tfile != old_tfile) /* the descriptor is not owned by pam data */ + close(tfile); + RETURN_ERROR(i); + } + + if (tfile != old_tfile) + close(tfile); + + return PAM_SUCCESS; +} + +/*---------------------------------------------------------------------*/ + +/* --- authentication management functions (only) --- */ + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int + rv, tfile = -1; + time_t + oldtime = 0; + struct tally_options + options, *opts = &options; + uid_t + uid; + const char + *user; + + rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); + if (rv != PAM_SUCCESS) + RETURN_ERROR(rv); + + if (flags & PAM_SILENT) + opts->ctrl |= OPT_QUIET; + + rv = pam_get_uid(pamh, &uid, &user, opts); + if (rv != PAM_SUCCESS) + RETURN_ERROR(rv); + + rv = tally_bump(1, &oldtime, pamh, uid, user, opts, &tfile); + + tally_set_data(pamh, oldtime, tfile); + + return rv; +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int + rv, tfile = -1; + time_t + oldtime = 0; + struct tally_options + options, *opts = &options; + uid_t + uid; + const char + *user; + + rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); + + rv = pam_get_uid(pamh, &uid, &user, opts); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); + + if ( tally_get_data(pamh, &oldtime, &tfile) != 0 ) + /* no data found */ + return PAM_SUCCESS; + + rv = tally_reset(pamh, uid, opts, tfile); + + pam_set_data(pamh, MODULE_NAME, NULL, NULL); + + return rv; +} + +/*---------------------------------------------------------------------*/ + +/* --- authentication management functions (only) --- */ + +/* To reset failcount of user on successfull login */ + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int + rv, tfile = -1; + time_t + oldtime = 0; + struct tally_options + options, *opts = &options; + uid_t + uid; + const char + *user; + + rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); + + rv = pam_get_uid(pamh, &uid, &user, opts); + if ( rv != PAM_SUCCESS ) + RETURN_ERROR( rv ); + + if ( tally_get_data(pamh, &oldtime, &tfile) != 0 ) + /* no data found */ + return PAM_SUCCESS; + + rv = tally_reset(pamh, uid, opts, tfile); + + pam_set_data(pamh, MODULE_NAME, NULL, NULL); + + return rv; +} + +/*-----------------------------------------------------------------------*/ + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_tally_modstruct = { + MODULE_NAME, +#ifdef PAM_SM_AUTH + pam_sm_authenticate, + pam_sm_setcred, +#else + NULL, + NULL, +#endif +#ifdef PAM_SM_ACCOUNT + pam_sm_acct_mgmt, +#else + NULL, +#endif + NULL, + NULL, + NULL, +}; + +#endif /* #ifdef PAM_STATIC */ + +/*-----------------------------------------------------------------------*/ + +#else /* #ifndef MAIN */ + +static const char *cline_filename = DEFAULT_LOGFILE; +static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */ +static int cline_quiet = 0; + +/* + * Not going to link with pamlib just for these.. :) + */ + +static const char * +pam_errors( int i ) +{ + switch (i) { + case PAM_AUTH_ERR: return _("Authentication error"); + case PAM_SERVICE_ERR: return _("Service error"); + case PAM_USER_UNKNOWN: return _("Unknown user"); + default: return _("Unknown error"); + } +} + +static int +getopts( char **argv ) +{ + const char *pname = *argv; + for ( ; *argv ; (void)(*argv && ++argv) ) { + if ( !strcmp (*argv,"--file") ) cline_filename=*++argv; + else if ( !strcmp(*argv,"-f") ) cline_filename=*++argv; + else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7; + else if ( !strcmp (*argv,"--user") ) cline_user=*++argv; + else if ( !strcmp (*argv,"-u") ) cline_user=*++argv; + else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7; + else if ( !strcmp (*argv,"--reset") ) cline_reset=0; + else if ( !strcmp (*argv,"-r") ) cline_reset=0; + else if ( !strncmp(*argv,"--reset=",8)) { + if ( sscanf(*argv+8,"%hu",&cline_reset) != 1 ) + fprintf(stderr,_("%s: Bad number given to --reset=\n"),pname), exit(0); + } + else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1; + else { + fprintf(stderr,_("%s: Unrecognised option %s\n"),pname,*argv); + return FALSE; + } + } + return TRUE; +} + +static void +print_one(const struct tallylog *tally, uid_t uid) +{ + static int once; + char *cp; + time_t fail_time; + struct tm *tm; + struct passwd *pwent; + const char *username = "[NONAME]"; + char ptime[80]; + + pwent = getpwuid(uid); + fail_time = tally->fail_time; + tm = localtime(&fail_time); + strftime (ptime, sizeof (ptime), "%D %H:%M:%S", tm); + cp = ptime; + if (pwent) { + username = pwent->pw_name; + } + if (!once) { + printf (_("Login Failures Latest failure From\n")); + once++; + } + printf ("%-15.15s %5hu ", username, tally->fail_cnt); + if (tally->fail_time) { + printf ("%-17.17s %s", cp, tally->fail_line); + } + putchar ('\n'); +} + +int +main( int argc UNUSED, char **argv ) +{ + struct tallylog tally; + + if ( ! getopts( argv+1 ) ) { + printf(_("%s: [-f rooted-filename] [--file rooted-filename]\n" + " [-u username] [--user username]\n" + " [-r] [--reset[=n]] [--quiet]\n"), + *argv); + exit(2); + } + + umask(077); + + /* + * Major difference between individual user and all users: + * --user just handles one user, just like PAM. + * without --user it handles all users, sniffing cline_filename for nonzeros + */ + + if ( cline_user ) { + uid_t uid; + int tfile = -1; + struct tally_options opts; + int i; + + memset(&opts, 0, sizeof(opts)); + opts.ctrl = OPT_AUDIT; + i=pam_get_uid(NULL, &uid, NULL, &opts); + if ( i != PAM_SUCCESS ) { + fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); + exit(1); + } + + i=get_tally(NULL, uid, cline_filename, &tfile, &tally, 0); + if ( i != PAM_SUCCESS ) { + if (tfile != -1) + close(tfile); + fprintf(stderr, "%s: %s\n", *argv, pam_errors(i)); + exit(1); + } + + if ( !cline_quiet ) + print_one(&tally, uid); + + if (cline_reset != TALLY_HI) { +#ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd = audit_open(); + snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, + buf, NULL, NULL, NULL, 1); + if (audit_fd >=0) + close(audit_fd); +#endif + if (cline_reset == 0) { + memset(&tally, 0, sizeof(tally)); + } else { + tally.fail_cnt = cline_reset; + } + i=set_tally(NULL, uid, cline_filename, &tfile, &tally); + close(tfile); + if (i != PAM_SUCCESS) { + fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); + exit(1); + } + } else { + close(tfile); + } + } + else /* !cline_user (ie, operate on all users) */ { + FILE *tfile=fopen(cline_filename, "r"); + uid_t uid=0; + if (!tfile && cline_reset != 0) { + perror(*argv); + exit(1); + } + + for ( ; tfile && !feof(tfile); uid++ ) { + if ( !fread(&tally, sizeof(tally), 1, tfile) + || !tally.fail_cnt ) { + continue; + } + print_one(&tally, uid); + } + if (tfile) + fclose(tfile); + if ( cline_reset!=0 && cline_reset!=TALLY_HI ) { + fprintf(stderr,_("%s: Can't reset all users to non-zero\n"),*argv); + } + else if ( !cline_reset ) { +#ifdef HAVE_LIBAUDIT + char buf[64]; + int audit_fd = audit_open(); + snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); + audit_log_user_message(audit_fd, AUDIT_USER_ACCT, + buf, NULL, NULL, NULL, 1); + if (audit_fd >=0) + close(audit_fd); +#endif + tfile=fopen(cline_filename, "w"); + if ( !tfile ) perror(*argv), exit(0); + fclose(tfile); + } + } + return 0; +} + + +#endif /* #ifndef MAIN */ diff --git a/modules/pam_tally2/pam_tally2_app.c b/modules/pam_tally2/pam_tally2_app.c new file mode 100644 index 00000000..681ed690 --- /dev/null +++ b/modules/pam_tally2/pam_tally2_app.c @@ -0,0 +1,7 @@ +/* + # This seemed like such a good idea at the time. :) + */ + +#define MAIN +#include "pam_tally2.c" + diff --git a/modules/pam_tally2/tallylog.h b/modules/pam_tally2/tallylog.h new file mode 100644 index 00000000..596b1dac --- /dev/null +++ b/modules/pam_tally2/tallylog.h @@ -0,0 +1,52 @@ +/* + * Copyright 2006, Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Red Hat, Inc. nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * tallylog.h - login failure data file format + * + * The new login failure file is not compatible with the old faillog(8) format + * Each record in the file represents a separate UID and the file + * is indexed in that fashion. + */ + + +#ifndef _TALLYLOG_H +#define _TALLYLOG_H + +#include <stdint.h> + +struct tallylog { + char fail_line[52]; /* rhost or tty of last failure */ + uint16_t reserved; /* reserved for future use */ + uint16_t fail_cnt; /* failures since last success */ + uint64_t fail_time; /* time of last failure */ +}; +/* 64 bytes / entry */ + +#endif diff --git a/modules/pam_tally2/tst-pam_tally2 b/modules/pam_tally2/tst-pam_tally2 new file mode 100755 index 00000000..83c71f41 --- /dev/null +++ b/modules/pam_tally2/tst-pam_tally2 @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_tally2.so |