summaryrefslogtreecommitdiff
path: root/modules/pam_tally2
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_tally2')
-rw-r--r--modules/pam_tally2/Makefile.am40
-rw-r--r--modules/pam_tally2/Makefile.in739
-rw-r--r--modules/pam_tally2/README153
-rw-r--r--modules/pam_tally2/README.xml46
-rw-r--r--modules/pam_tally2/pam_tally2.8402
-rw-r--r--modules/pam_tally2/pam_tally2.8.xml449
-rw-r--r--modules/pam_tally2/pam_tally2.c1057
-rw-r--r--modules/pam_tally2/pam_tally2_app.c7
-rw-r--r--modules/pam_tally2/tallylog.h52
-rwxr-xr-xmodules/pam_tally2/tst-pam_tally22
10 files changed, 2947 insertions, 0 deletions
diff --git a/modules/pam_tally2/Makefile.am b/modules/pam_tally2/Makefile.am
new file mode 100644
index 00000000..06cdf554
--- /dev/null
+++ b/modules/pam_tally2/Makefile.am
@@ -0,0 +1,40 @@
+#
+# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2008 Red Hat, Inc.
+#
+
+CLEANFILES = *~
+
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2
+
+man_MANS = pam_tally2.8
+XMLS = README.xml pam_tally2.8.xml
+
+TESTS = tst-pam_tally2
+
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+
+noinst_HEADERS = tallylog.h
+
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+
+pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module
+pam_tally2_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+if HAVE_VERSIONING
+ pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif
+
+pam_tally2_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+
+securelib_LTLIBRARIES = pam_tally2.la
+sbin_PROGRAMS = pam_tally2
+
+pam_tally2_la_SOURCES = pam_tally2.c
+pam_tally2_SOURCES = pam_tally2_app.c
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_tally2.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
diff --git a/modules/pam_tally2/Makefile.in b/modules/pam_tally2/Makefile.in
new file mode 100644
index 00000000..dc99b9d5
--- /dev/null
+++ b/modules/pam_tally2/Makefile.in
@@ -0,0 +1,739 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2008 Red Hat, Inc.
+#
+
+
+
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map
+sbin_PROGRAMS = pam_tally2$(EXEEXT)
+subdir = modules/pam_tally2
+DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \
+ $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+ $(top_srcdir)/m4/japhar_grep_cflags.m4 \
+ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \
+ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
+ $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+ $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \
+ $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \
+ $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \
+ "$(DESTDIR)$(man8dir)"
+securelibLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(securelib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+pam_tally2_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_pam_tally2_la_OBJECTS = pam_tally2.lo
+pam_tally2_la_OBJECTS = $(am_pam_tally2_la_OBJECTS)
+pam_tally2_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(pam_tally2_la_LDFLAGS) $(LDFLAGS) -o $@
+sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(sbin_PROGRAMS)
+am_pam_tally2_OBJECTS = pam_tally2_app.$(OBJEXT)
+pam_tally2_OBJECTS = $(am_pam_tally2_OBJECTS)
+pam_tally2_DEPENDENCIES = $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(pam_tally2_la_SOURCES) $(pam_tally2_SOURCES)
+DIST_SOURCES = $(pam_tally2_la_SOURCES) $(pam_tally2_SOURCES)
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(man_MANS)
+DATA = $(noinst_DATA)
+HEADERS = $(noinst_HEADERS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BROWSER = @BROWSER@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+FO2PDF = @FO2PDF@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GREP = @GREP@
+HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBAUDIT = @LIBAUDIT@
+LIBCRACK = @LIBCRACK@
+LIBCRYPT = @LIBCRYPT@
+LIBDB = @LIBDB@
+LIBDL = @LIBDL@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBNSL = @LIBNSL@
+LIBOBJS = @LIBOBJS@
+LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
+LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
+LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@
+LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@
+LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@
+LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@
+LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@
+LIBS = @LIBS@
+LIBSELINUX = @LIBSELINUX@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SCONFIGDIR = @SCONFIGDIR@
+SECUREDIR = @SECUREDIR@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+XMLCATALOG = @XMLCATALOG@
+XMLLINT = @XMLLINT@
+XML_CATALOG_FILE = @XML_CATALOG_FILE@
+XSLTPROC = @XSLTPROC@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libc_cv_fpie = @libc_cv_fpie@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pam_cv_ld_as_needed = @pam_cv_ld_as_needed@
+pam_xauth_path = @pam_xauth_path@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+CLEANFILES = *~
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_tally2
+man_MANS = pam_tally2.8
+XMLS = README.xml pam_tally2.8.xml
+TESTS = tst-pam_tally2
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+noinst_HEADERS = tallylog.h
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+pam_tally2_la_LDFLAGS = -no-undefined -avoid-version -module \
+ $(am__append_1)
+pam_tally2_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+pam_tally2_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+securelib_LTLIBRARIES = pam_tally2.la
+pam_tally2_la_SOURCES = pam_tally2.c
+pam_tally2_SOURCES = pam_tally2_app.c
+@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_tally2/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu modules/pam_tally2/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)"
+ @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-securelibLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \
+ done
+
+clean-securelibLTLIBRARIES:
+ -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES)
+ @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+pam_tally2.la: $(pam_tally2_la_OBJECTS) $(pam_tally2_la_DEPENDENCIES)
+ $(pam_tally2_la_LINK) -rpath $(securelibdir) $(pam_tally2_la_OBJECTS) $(pam_tally2_la_LIBADD) $(LIBS)
+install-sbinPROGRAMS: $(sbin_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
+ @list='$(sbin_PROGRAMS)'; for p in $$list; do \
+ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ if test -f $$p \
+ || test -f $$p1 \
+ ; then \
+ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \
+ else :; fi; \
+ done
+
+uninstall-sbinPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(sbin_PROGRAMS)'; for p in $$list; do \
+ f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
+ rm -f "$(DESTDIR)$(sbindir)/$$f"; \
+ done
+
+clean-sbinPROGRAMS:
+ @list='$(sbin_PROGRAMS)'; for p in $$list; do \
+ f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f $$p $$f"; \
+ rm -f $$p $$f ; \
+ done
+pam_tally2$(EXEEXT): $(pam_tally2_OBJECTS) $(pam_tally2_DEPENDENCIES)
+ @rm -f pam_tally2$(EXEEXT)
+ $(LINK) $(pam_tally2_OBJECTS) $(pam_tally2_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally2.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_tally2_app.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+install-man8: $(man8_MANS) $(man_MANS)
+ @$(NORMAL_INSTALL)
+ test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ if test -f $$i; then file=$$i; \
+ else file=$(srcdir)/$$i; fi; \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+ rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ echo "XPASS: $$tst"; \
+ ;; \
+ *) \
+ echo "PASS: $$tst"; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ echo "XFAIL: $$tst"; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ echo "FAIL: $$tst"; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ echo "SKIP: $$tst"; \
+ fi; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ echo "$$dashes"; \
+ echo "$$banner"; \
+ test -z "$$skipped" || echo "$$skipped"; \
+ test -z "$$report" || echo "$$report"; \
+ echo "$$dashes"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS)
+installdirs:
+ for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \
+ clean-securelibLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-man install-securelibLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am: install-sbinPROGRAMS
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man: install-man8
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-man uninstall-sbinPROGRAMS \
+ uninstall-securelibLTLIBRARIES
+
+uninstall-man: uninstall-man8
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
+ clean-generic clean-libtool clean-sbinPROGRAMS \
+ clean-securelibLTLIBRARIES ctags distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-man8 \
+ install-pdf install-pdf-am install-ps install-ps-am \
+ install-sbinPROGRAMS install-securelibLTLIBRARIES \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \
+ uninstall-man8 uninstall-sbinPROGRAMS \
+ uninstall-securelibLTLIBRARIES
+
+@ENABLE_REGENERATE_MAN_TRUE@README: pam_tally2.8.xml
+@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/modules/pam_tally2/README b/modules/pam_tally2/README
new file mode 100644
index 00000000..8005474b
--- /dev/null
+++ b/modules/pam_tally2/README
@@ -0,0 +1,153 @@
+pam_tally2 — The login counter (tallying) module
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+DESCRIPTION
+
+This module maintains a count of attempted accesses, can reset count on
+success, can deny access if too many attempts fail.
+
+pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the
+PAM module and the latter, a stand-alone program. pam_tally2 is an (optional)
+application which can be used to interrogate and manipulate the counter file.
+It can display users' counts, set individual counts, or clear all counts.
+Setting artificially high counts may be useful for blocking users without
+changing their passwords. For example, one might find it useful to clear all
+counts every midnight from a cron job.
+
+Normally, failed attempts to access root will not cause the root account to
+become blocked, to prevent denial-of-service: if your users aren't given shell
+accounts and root may only login via su or at the machine console (not telnet/
+rsh, etc), this is safe.
+
+OPTIONS
+
+GLOBAL OPTIONS
+
+ This can be used for auth and account module types.
+
+ onerr=[fail|succeed]
+
+ If something weird happens (like unable to open the file), return with
+ PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
+ error code.
+
+ file=/path/to/counter
+
+ File where to keep counts. Default is /var/log/tallylog.
+
+ audit
+
+ Will log the user name into the system log if the user is not found.
+
+ silent
+
+ Don't print informative messages.
+
+ no_log_info
+
+ Don't log informative messages via syslog(3).
+
+AUTH OPTIONS
+
+ Authentication phase first increments attempted login counter and checks if
+ user should be denied access. If the user is authenticated and the login
+ process continues on call to pam_setcred(3) it resets the attempts counter.
+
+ deny=n
+
+ Deny access if tally for this user exceeds n.
+
+ lock_time=n
+
+ Always deny for n seconds after failed attempt.
+
+ unlock_time=n
+
+ Allow access after n seconds after failed attempt. If this option is
+ used the user will be locked out for the specified amount of time after
+ he exceeded his maximum allowed attempts. Otherwise the account is
+ locked until the lock is removed by a manual intervention of the system
+ administrator.
+
+ magic_root
+
+ If the module is invoked by a user with uid=0 the counter is not
+ incremented. The sysadmin should use this for user launched services,
+ like su, otherwise this argument should be omitted.
+
+ no_lock_time
+
+ Do not use the .fail_locktime field in /var/log/faillog for this user.
+
+ even_deny_root
+
+ Root account can become unavailable.
+
+ root_unlock_time=n
+
+ This option implies even_deny_root option. Allow access after n seconds
+ to root account after failed attempt. If this option is used the root
+ user will be locked out for the specified amount of time after he
+ exceeded his maximum allowed attempts.
+
+ serialize
+
+ Serialize access to the tally file using locks. This option might be
+ used only for non-multithreaded services because it depends on the
+ fcntl locking of the tally file. Also it is a good idea to use this
+ option only in such configurations where the time between auth phase
+ and account or setcred phase is not dependent on the authenticating
+ client. Otherwise the authenticating client will be able to prevent
+ simultaneous authentications by the same user by simply artificially
+ prolonging the time the file record lock is held.
+
+ACCOUNT OPTIONS
+
+ Account phase resets attempts counter if the user is not magic root. This
+ phase can be used optionally for services which don't call pam_setcred(3)
+ correctly or if the reset should be done regardless of the failure of the
+ account phase of other modules.
+
+ magic_root
+
+ If the module is invoked by a user with uid=0 the counter is not
+ changed. The sysadmin should use this for user launched services, like
+ su, otherwise this argument should be omitted.
+
+NOTES
+
+pam_tally2 is not compatible with the old pam_tally faillog file format. This
+is caused by requirement of compatibility of the tallylog file format between
+32bit and 64bit architectures on multiarch systems.
+
+There is no setuid wrapper for access to the data file such as when the
+pam_tally2.so module is called from xscreensaver. As this would make it
+impossible to share PAM configuration with such services the following
+workaround is used: If the data file cannot be opened because of insufficient
+permissions (EACCES) the module returns PAM_IGNORE.
+
+EXAMPLES
+
+Add the following line to /etc/pam.d/login to lock the account after 4 failed
+logins. Root account will be locked as well. The accounts will be automatically
+unlocked after 20 minutes. The module does not have to be called in the account
+phase because the login calls pam_setcred(3) correctly.
+
+auth required pam_securetty.so
+auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
+auth required pam_env.so
+auth required pam_unix.so
+auth required pam_nologin.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_limits.so
+session required pam_unix.so
+session required pam_lastlog.so nowtmp
+session optional pam_mail.so standard
+
+
+AUTHOR
+
+pam_tally2 was written by Tim Baverstock and Tomas Mraz.
+
diff --git a/modules/pam_tally2/README.xml b/modules/pam_tally2/README.xml
new file mode 100644
index 00000000..aa470570
--- /dev/null
+++ b/modules/pam_tally2/README.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_tally2.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tally2.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_tally2-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-notes"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_tally2.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally2-author"]/*)'/>
+ </section>
+
+</article>
diff --git a/modules/pam_tally2/pam_tally2.8 b/modules/pam_tally2/pam_tally2.8
new file mode 100644
index 00000000..4255e7f1
--- /dev/null
+++ b/modules/pam_tally2/pam_tally2.8
@@ -0,0 +1,402 @@
+.\" Title: pam_tally2
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+.\" Date: 06/16/2009
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_TALLY2" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * (re)Define some macros
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" toupper - uppercase a string (locale-aware)
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de toupper
+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+\\$*
+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH-xref - format a cross-reference to an SH section
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de SH-xref
+.ie n \{\
+.\}
+.toupper \\$*
+.el \{\
+\\$*
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH - level-one heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SH
+.\" put an extra blank line of space above the head in non-TTY output
+.if t \{\
+.sp 1
+.\}
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[an-margin]u
+.ti 0
+.HTML-TAG ".NH \\n[an-level]"
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+\." make the size of the head bigger
+.ps +3
+.ft B
+.ne (2v + 1u)
+.ie n \{\
+.\" if n (TTY output), use uppercase
+.toupper \\$*
+.\}
+.el \{\
+.nr an-break-flag 0
+.\" if not n (not TTY), use normal case (not uppercase)
+\\$1
+.in \\n[an-margin]u
+.ti 0
+.\" if not n (not TTY), put a border/line under subheading
+.sp -.6
+\l'\n(.lu'
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SS - level-two heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SS
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[IN]u
+.ti \\n[SN]u
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.ps \\n[PS-SS]u
+\." make the size of the head bigger
+.ps +2
+.ft B
+.ne (2v + 1u)
+.if \\n[.$] \&\\$*
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BB/BE - put background/screen (filled box) around block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BB
+.if t \{\
+.sp -.5
+.br
+.in +2n
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EB
+.if t \{\
+.if "\\$2"adjust-for-leading-newline" \{\
+.sp -1
+.\}
+.br
+.di
+.in
+.ll
+.gcolor
+.nr BW \\n(.lu-\\n(.i
+.nr BH \\n(dn+.5v
+.ne \\n(BHu+.5v
+.ie "\\$2"adjust-for-leading-newline" \{\
+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.el \{\
+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.in 0
+.sp -.5v
+.nf
+.BX
+.in
+.sp .5v
+.fi
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BM/EM - put colored marker in margin next to block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BM
+.if t \{\
+.br
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EM
+.if t \{\
+.br
+.di
+.ll
+.gcolor
+.nr BH \\n(dn
+.ne \\n(BHu
+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+.in 0
+.nf
+.BX
+.in
+.fi
+.\}
+..
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "Name"
+pam_tally2 \- The login counter (tallying) module
+.SH "Synopsis"
+.fam C
+.HP \w'\fBpam_tally2\&.so\fR\ 'u
+\fBpam_tally2\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [root_unlock_time=\fIn\fR] [serialize] [audit] [silent] [no_log_info]
+.fam
+.fam C
+.HP \w'\fBpam_tally2\fR\ 'u
+\fBpam_tally2\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet]
+.fam
+.SH "DESCRIPTION"
+.PP
+This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&.
+.PP
+pam_tally2 comes in two parts:
+\fBpam_tally2\&.so\fR
+and
+\fBpam_tally2\fR\&. The former is the PAM module and the latter, a stand\-alone program\&.
+\fBpam_tally2\fR
+is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display users\' counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&.
+.PP
+Normally, failed attempts to access
+\fIroot\fR
+will
+\fBnot\fR
+cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\'t given shell accounts and root may only login via
+\fBsu\fR
+or at the machine console (not telnet/rsh, etc), this is safe\&.
+.SH "OPTIONS"
+.PP
+GLOBAL OPTIONS
+.RS 4
+This can be used for
+\fIauth\fR
+and
+\fIaccount\fR
+module types\&.
+.PP
+\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR
+.RS 4
+If something weird happens (like unable to open the file), return with
+\fBPAM_SUCCESS\fR
+if
+\fBonerr=\fR\fB\fIsucceed\fR\fR
+is given, else with the corresponding PAM error code\&.
+.RE
+.PP
+\fBfile=\fR\fB\fI/path/to/counter\fR\fR
+.RS 4
+File where to keep counts\&. Default is
+\FC/var/log/tallylog\F[]\&.
+.RE
+.PP
+\fBaudit\fR
+.RS 4
+Will log the user name into the system log if the user is not found\&.
+.RE
+.PP
+\fBsilent\fR
+.RS 4
+Don\'t print informative messages\&.
+.RE
+.PP
+\fBno_log_info\fR
+.RS 4
+Don\'t log informative messages via
+\fBsyslog\fR(3)\&.
+.RE
+.RE
+.PP
+AUTH OPTIONS
+.RS 4
+Authentication phase first increments attempted login counter and checks if user should be denied access\&. If the user is authenticated and the login process continues on call to
+\fBpam_setcred\fR(3)
+it resets the attempts counter\&.
+.PP
+\fBdeny=\fR\fB\fIn\fR\fR
+.RS 4
+Deny access if tally for this user exceeds
+\fIn\fR\&.
+.RE
+.PP
+\fBlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+Always deny for
+\fIn\fR
+seconds after failed attempt\&.
+.RE
+.PP
+\fBunlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+Allow access after
+\fIn\fR
+seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&.
+.RE
+.PP
+\fBmagic_root\fR
+.RS 4
+If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like
+\fBsu\fR, otherwise this argument should be omitted\&.
+.RE
+.PP
+\fBno_lock_time\fR
+.RS 4
+Do not use the \&.fail_locktime field in
+\FC/var/log/faillog\F[]
+for this user\&.
+.RE
+.PP
+\fBeven_deny_root\fR
+.RS 4
+Root account can become unavailable\&.
+.RE
+.PP
+\fBroot_unlock_time=\fR\fB\fIn\fR\fR
+.RS 4
+This option implies
+\fBeven_deny_root\fR
+option\&. Allow access after
+\fIn\fR
+seconds to root account after failed attempt\&. If this option is used the root user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&.
+.RE
+.PP
+\fBserialize\fR
+.RS 4
+Serialize access to the tally file using locks\&. This option might be used only for non\-multithreaded services because it depends on the fcntl locking of the tally file\&. Also it is a good idea to use this option only in such configurations where the time between auth phase and account or setcred phase is not dependent on the authenticating client\&. Otherwise the authenticating client will be able to prevent simultaneous authentications by the same user by simply artificially prolonging the time the file record lock is held\&.
+.RE
+.RE
+.PP
+ACCOUNT OPTIONS
+.RS 4
+Account phase resets attempts counter if the user is
+\fBnot\fR
+magic root\&. This phase can be used optionally for services which don\'t call
+\fBpam_setcred\fR(3)
+correctly or if the reset should be done regardless of the failure of the account phase of other modules\&.
+.PP
+\fBmagic_root\fR
+.RS 4
+If the module is invoked by a user with uid=0 the counter is not changed\&. The sysadmin should use this for user launched services, like
+\fBsu\fR, otherwise this argument should be omitted\&.
+.RE
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBaccount\fR
+module types are provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_AUTH_ERR
+.RS 4
+A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&.
+.RE
+.PP
+PAM_SUCCESS
+.RS 4
+Everything was successful\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+User not known\&.
+.RE
+.SH "NOTES"
+.PP
+pam_tally2 is not compatible with the old pam_tally faillog file format\&. This is caused by requirement of compatibility of the tallylog file format between 32bit and 64bit architectures on multiarch systems\&.
+.PP
+There is no setuid wrapper for access to the data file such as when the
+\fBpam_tally2\&.so\fR
+module is called from xscreensaver\&. As this would make it impossible to share PAM configuration with such services the following workaround is used: If the data file cannot be opened because of insufficient permissions (\fBEACCES\fR) the module returns
+\fBPAM_IGNORE\fR\&.
+.SH "EXAMPLES"
+.PP
+Add the following line to
+\FC/etc/pam\&.d/login\F[]
+to lock the account after 4 failed logins\&. Root account will be locked as well\&. The accounts will be automatically unlocked after 20 minutes\&. The module does not have to be called in the account phase because the
+\fBlogin\fR
+calls
+\fBpam_setcred\fR(3)
+correctly\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.fam C
+.ps -1
+.nf
+.if t \{\
+.sp -1
+.\}
+.BB lightgray adjust-for-leading-newline
+.sp -1
+
+auth required pam_securetty\&.so
+auth required pam_tally2\&.so deny=4 even_deny_root unlock_time=1200
+auth required pam_env\&.so
+auth required pam_unix\&.so
+auth required pam_nologin\&.so
+account required pam_unix\&.so
+password required pam_unix\&.so
+session required pam_limits\&.so
+session required pam_unix\&.so
+session required pam_lastlog\&.so nowtmp
+session optional pam_mail\&.so standard
+
+.EB lightgray adjust-for-leading-newline
+.if t \{\
+.sp 1
+.\}
+.fi
+.fam
+.ps +1
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+\FC/var/log/tallylog\F[]
+.RS 4
+failure count logging file
+.RE
+.SH "SEE ALSO"
+.PP
+
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_tally2 was written by Tim Baverstock and Tomas Mraz\&.
diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml
new file mode 100644
index 00000000..4ad529fd
--- /dev/null
+++ b/modules/pam_tally2/pam_tally2.8.xml
@@ -0,0 +1,449 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_tally2">
+
+ <refmeta>
+ <refentrytitle>pam_tally2</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_tally2-name">
+ <refname>pam_tally2</refname>
+ <refpurpose>The login counter (tallying) module</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_tally2-cmdsynopsis1">
+ <command>pam_tally2.so</command>
+ <arg choice="opt">
+ file=<replaceable>/path/to/counter</replaceable>
+ </arg>
+ <arg choice="opt">
+ onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]
+ </arg>
+ <arg choice="opt">
+ magic_root
+ </arg>
+ <arg choice="opt">
+ even_deny_root
+ </arg>
+ <arg choice="opt">
+ deny=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ lock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ unlock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ root_unlock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ serialize
+ </arg>
+ <arg choice="opt">
+ audit
+ </arg>
+ <arg choice="opt">
+ silent
+ </arg>
+ <arg choice="opt">
+ no_log_info
+ </arg>
+ </cmdsynopsis>
+ <cmdsynopsis id="pam_tally2-cmdsynopsis2">
+ <command>pam_tally2</command>
+ <arg choice="opt">
+ --file <replaceable>/path/to/counter</replaceable>
+ </arg>
+ <arg choice="opt">
+ --user <replaceable>username</replaceable>
+ </arg>
+ <arg choice="opt">
+ --reset[=<replaceable>n</replaceable>]
+ </arg>
+ <arg choice="opt">
+ --quiet
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_tally2-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ This module maintains a count of attempted accesses, can
+ reset count on success, can deny access if too many attempts fail.
+ </para>
+ <para>
+ pam_tally2 comes in two parts:
+ <emphasis remap='B'>pam_tally2.so</emphasis> and
+ <command>pam_tally2</command>. The former is the PAM module and
+ the latter, a stand-alone program. <command>pam_tally2</command>
+ is an (optional) application which can be used to interrogate and
+ manipulate the counter file. It can display users' counts, set
+ individual counts, or clear all counts. Setting artificially high
+ counts may be useful for blocking users without changing their
+ passwords. For example, one might find it useful to clear all counts
+ every midnight from a cron job.
+ </para>
+ <para>
+ Normally, failed attempts to access <emphasis>root</emphasis> will
+ <emphasis remap='B'>not</emphasis> cause the root account to become
+ blocked, to prevent denial-of-service: if your users aren't given
+ shell accounts and root may only login via <command>su</command> or
+ at the machine console (not telnet/rsh, etc), this is safe.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_tally2-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ GLOBAL OPTIONS
+ </term>
+ <listitem>
+ <para>
+ This can be used for <emphasis>auth</emphasis> and
+ <emphasis>account</emphasis> module types.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]</option>
+ </term>
+ <listitem>
+ <para>
+ If something weird happens (like unable to open the file),
+ return with <errorcode>PAM_SUCCESS</errorcode> if
+ <option>onerr=<replaceable>succeed</replaceable></option>
+ is given, else with the corresponding PAM error code.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>file=<replaceable>/path/to/counter</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ File where to keep counts. Default is
+ <filename>/var/log/tallylog</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>audit</option>
+ </term>
+ <listitem>
+ <para>
+ Will log the user name into the system log if the user is not found.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>silent</option>
+ </term>
+ <listitem>
+ <para>
+ Don't print informative messages.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_log_info</option>
+ </term>
+ <listitem>
+ <para>
+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ AUTH OPTIONS
+ </term>
+ <listitem>
+ <para>
+ Authentication phase first increments attempted login counter and
+ checks if user should be denied access. If the user is authenticated
+ and the login process continues on call to <citerefentry>
+ <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> it resets the attempts counter.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>deny=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Deny access if tally for this user exceeds
+ <replaceable>n</replaceable>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Always deny for <replaceable>n</replaceable> seconds
+ after failed attempt.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>unlock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Allow access after <replaceable>n</replaceable> seconds
+ after failed attempt. If this option is used the user will
+ be locked out for the specified amount of time after he
+ exceeded his maximum allowed attempts. Otherwise the
+ account is locked until the lock is removed by a manual
+ intervention of the system administrator.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>magic_root</option>
+ </term>
+ <listitem>
+ <para>
+ If the module is invoked by a user with uid=0 the
+ counter is not incremented. The sysadmin should use this
+ for user launched services, like <command>su</command>,
+ otherwise this argument should be omitted.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_lock_time</option>
+ </term>
+ <listitem>
+ <para>
+ Do not use the .fail_locktime field in
+ <filename>/var/log/faillog</filename> for this user.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>even_deny_root</option>
+ </term>
+ <listitem>
+ <para>
+ Root account can become unavailable.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>root_unlock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ This option implies <option>even_deny_root</option> option.
+ Allow access after <replaceable>n</replaceable> seconds
+ to root account after failed attempt. If this option is used
+ the root user will be locked out for the specified amount of
+ time after he exceeded his maximum allowed attempts.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>serialize</option>
+ </term>
+ <listitem>
+ <para>
+ Serialize access to the tally file using locks. This option might
+ be used only for non-multithreaded services because it depends on
+ the fcntl locking of the tally file. Also it is a good idea to use
+ this option only in such configurations where the time between auth
+ phase and account or setcred phase is not dependent on the
+ authenticating client. Otherwise the authenticating client will be
+ able to prevent simultaneous authentications by the same user by
+ simply artificially prolonging the time the file record lock is held.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+
+
+ <varlistentry>
+ <term>
+ ACCOUNT OPTIONS
+ </term>
+ <listitem>
+ <para>
+ Account phase resets attempts counter if the user is
+ <emphasis remap='B'>not</emphasis> magic root.
+ This phase can be used optionally for services which don't call
+ <citerefentry>
+ <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> correctly or if the reset should be done regardless
+ of the failure of the account phase of other modules.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>magic_root</option>
+ </term>
+ <listitem>
+ <para>
+ If the module is invoked by a user with uid=0 the
+ counter is not changed. The sysadmin should use this
+ for user launched services, like <command>su</command>,
+ otherwise this argument should be omitted.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_tally2-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ The <option>auth</option> and <option>account</option>
+ module types are provided.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tally2-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ A invalid option was given, the module was not able
+ to retrieve the user name, no valid counter file
+ was found, or too many failed logins.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Everything was successful.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User not known.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_tally2-notes'>
+ <title>NOTES</title>
+ <para>
+ pam_tally2 is not compatible with the old pam_tally faillog file format.
+ This is caused by requirement of compatibility of the tallylog file
+ format between 32bit and 64bit architectures on multiarch systems.
+ </para>
+ <para>
+ There is no setuid wrapper for access to the data file such as when the
+ <emphasis remap='B'>pam_tally2.so</emphasis> module is called from
+ xscreensaver. As this would make it impossible to share PAM configuration
+ with such services the following workaround is used: If the data file
+ cannot be opened because of insufficient permissions
+ (<errorcode>EACCES</errorcode>) the module returns
+ <errorcode>PAM_IGNORE</errorcode>.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tally2-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ Add the following line to <filename>/etc/pam.d/login</filename> to
+ lock the account after 4 failed logins. Root account will be locked
+ as well. The accounts will be automatically unlocked after 20 minutes.
+ The module does not have to be called in the account phase because the
+ <command>login</command> calls <citerefentry>
+ <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> correctly.
+ </para>
+ <programlisting>
+auth required pam_securetty.so
+auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
+auth required pam_env.so
+auth required pam_unix.so
+auth required pam_nologin.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_limits.so
+session required pam_unix.so
+session required pam_lastlog.so nowtmp
+session optional pam_mail.so standard
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="pam_tally2-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/var/log/tallylog</filename></term>
+ <listitem>
+ <para>failure count logging file</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_tally2-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tally2-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_tally2 was written by Tim Baverstock and Tomas Mraz.
+ </para>
+ </refsect1>
+
+</refentry>
+
diff --git a/modules/pam_tally2/pam_tally2.c b/modules/pam_tally2/pam_tally2.c
new file mode 100644
index 00000000..3490aa15
--- /dev/null
+++ b/modules/pam_tally2/pam_tally2.c
@@ -0,0 +1,1057 @@
+/*
+ * pam_tally2.c
+ *
+ */
+
+
+/* By Tim Baverstock <warwick@mmm.co.uk>, Multi Media Machine Ltd.
+ * 5 March 1997
+ *
+ * Stuff stolen from pam_rootok and pam_listfile
+ *
+ * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005, 26 January 2006
+ * Audit option added for Tomas patch by Sebastien Tricaud <toady@gscore.org> 13 January 2005
+ * Portions Copyright 2006, Red Hat, Inc.
+ * Portions Copyright 1989 - 1993, Julianne Frances Haugh
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#if defined(MAIN) && defined(MEMORY_DEBUG)
+# undef exit
+#endif /* defined(MAIN) && defined(MEMORY_DEBUG) */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <time.h>
+#include <stdint.h>
+#include <errno.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/param.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <signal.h>
+#include "tallylog.h"
+
+#ifndef TRUE
+#define TRUE 1L
+#define FALSE 0L
+#endif
+
+#ifndef HAVE_FSEEKO
+#define fseeko fseek
+#endif
+
+/*
+ * here, we make a definition for the externally accessible function
+ * in this file (this definition is required for static a module
+ * but strongly encouraged generally) it is used to instruct the
+ * modules include file to define the function prototypes.
+ */
+
+#ifndef MAIN
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+/* #define PAM_SM_SESSION */
+/* #define PAM_SM_PASSWORD */
+
+#include <security/pam_ext.h>
+#endif
+#include <security/pam_modutil.h>
+#include <security/pam_modules.h>
+
+/*---------------------------------------------------------------------*/
+
+#define DEFAULT_LOGFILE "/var/log/tallylog"
+#define MODULE_NAME "pam_tally2"
+
+#define tally_t uint16_t
+#define TALLY_HI ((tally_t)~0L)
+
+struct tally_options {
+ const char *filename;
+ tally_t deny;
+ long lock_time;
+ long unlock_time;
+ long root_unlock_time;
+ unsigned int ctrl;
+};
+
+#define PHASE_UNKNOWN 0
+#define PHASE_AUTH 1
+#define PHASE_ACCOUNT 2
+#define PHASE_SESSION 3
+
+#define OPT_MAGIC_ROOT 01
+#define OPT_FAIL_ON_ERROR 02
+#define OPT_DENY_ROOT 04
+#define OPT_QUIET 040
+#define OPT_AUDIT 0100
+#define OPT_NOLOGNOTICE 0400
+#define OPT_SERIALIZE 01000
+
+#define MAX_LOCK_WAITING_TIME 10
+
+/*---------------------------------------------------------------------*/
+
+/* some syslogging */
+
+#ifdef MAIN
+#define pam_syslog tally_log
+static void
+tally_log (const pam_handle_t *pamh UNUSED, int priority UNUSED,
+ const char *fmt, ...)
+{
+ va_list args;
+
+ va_start(args, fmt);
+ fprintf(stderr, "%s: ", MODULE_NAME);
+ vfprintf(stderr, fmt, args);
+ fprintf(stderr,"\n");
+ va_end(args);
+}
+
+#define pam_modutil_getpwnam(pamh, user) getpwnam(user)
+#endif
+
+/*---------------------------------------------------------------------*/
+
+/* --- Support function: parse arguments --- */
+
+#ifndef MAIN
+
+static void
+log_phase_no_auth(pam_handle_t *pamh, int phase, const char *argv)
+{
+ if ( phase != PHASE_AUTH ) {
+ pam_syslog(pamh, LOG_ERR,
+ "option %s allowed in auth phase only", argv);
+ }
+}
+
+static int
+tally_parse_args(pam_handle_t *pamh, struct tally_options *opts,
+ int phase, int argc, const char **argv)
+{
+ memset(opts, 0, sizeof(*opts));
+ opts->filename = DEFAULT_LOGFILE;
+ opts->ctrl = OPT_FAIL_ON_ERROR;
+ opts->root_unlock_time = -1;
+
+ for ( ; argc-- > 0; ++argv ) {
+
+ if ( ! strncmp( *argv, "file=", 5 ) ) {
+ const char *from = *argv + 5;
+ if ( *from!='/' ) {
+ pam_syslog(pamh, LOG_ERR,
+ "filename not /rooted; %s", *argv);
+ return PAM_AUTH_ERR;
+ }
+ opts->filename = from;
+ }
+ else if ( ! strcmp( *argv, "onerr=fail" ) ) {
+ opts->ctrl |= OPT_FAIL_ON_ERROR;
+ }
+ else if ( ! strcmp( *argv, "onerr=succeed" ) ) {
+ opts->ctrl &= ~OPT_FAIL_ON_ERROR;
+ }
+ else if ( ! strcmp( *argv, "magic_root" ) ) {
+ opts->ctrl |= OPT_MAGIC_ROOT;
+ }
+ else if ( ! strcmp( *argv, "serialize" ) ) {
+ opts->ctrl |= OPT_SERIALIZE;
+ }
+ else if ( ! strcmp( *argv, "even_deny_root_account" ) ||
+ ! strcmp( *argv, "even_deny_root" ) ) {
+ log_phase_no_auth(pamh, phase, *argv);
+ opts->ctrl |= OPT_DENY_ROOT;
+ }
+ else if ( ! strncmp( *argv, "deny=", 5 ) ) {
+ log_phase_no_auth(pamh, phase, *argv);
+ if ( sscanf((*argv)+5,"%hu",&opts->deny) != 1 ) {
+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv);
+ return PAM_AUTH_ERR;
+ }
+ }
+ else if ( ! strncmp( *argv, "lock_time=", 10 ) ) {
+ log_phase_no_auth(pamh, phase, *argv);
+ if ( sscanf((*argv)+10,"%ld",&opts->lock_time) != 1 ) {
+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv);
+ return PAM_AUTH_ERR;
+ }
+ }
+ else if ( ! strncmp( *argv, "unlock_time=", 12 ) ) {
+ log_phase_no_auth(pamh, phase, *argv);
+ if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) {
+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv);
+ return PAM_AUTH_ERR;
+ }
+ }
+ else if ( ! strncmp( *argv, "root_unlock_time=", 17 ) ) {
+ log_phase_no_auth(pamh, phase, *argv);
+ if ( sscanf((*argv)+17,"%ld",&opts->root_unlock_time) != 1 ) {
+ pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv);
+ return PAM_AUTH_ERR;
+ }
+ opts->ctrl |= OPT_DENY_ROOT; /* even_deny_root implied */
+ }
+ else if ( ! strcmp( *argv, "quiet" ) ||
+ ! strcmp ( *argv, "silent")) {
+ opts->ctrl |= OPT_QUIET;
+ }
+ else if ( ! strcmp ( *argv, "no_log_info") ) {
+ opts->ctrl |= OPT_NOLOGNOTICE;
+ }
+ else if ( ! strcmp ( *argv, "audit") ) {
+ opts->ctrl |= OPT_AUDIT;
+ }
+ else {
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+ }
+
+ if (opts->root_unlock_time == -1)
+ opts->root_unlock_time = opts->unlock_time;
+
+ return PAM_SUCCESS;
+}
+
+#endif /* #ifndef MAIN */
+
+/*---------------------------------------------------------------------*/
+
+/* --- Support function: get uid (and optionally username) from PAM or
+ cline_user --- */
+
+#ifdef MAIN
+static char *cline_user=0; /* cline_user is used in the administration prog */
+#endif
+
+static int
+pam_get_uid(pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts)
+{
+ const char *user = NULL;
+ struct passwd *pw;
+
+#ifdef MAIN
+ user = cline_user;
+#else
+ if ((pam_get_user( pamh, &user, NULL )) != PAM_SUCCESS) {
+ user = NULL;
+ }
+#endif
+
+ if ( !user || !*user ) {
+ pam_syslog(pamh, LOG_ERR, "pam_get_uid; user?");
+ return PAM_AUTH_ERR;
+ }
+
+ if ( ! ( pw = pam_modutil_getpwnam( pamh, user ) ) ) {
+ opts->ctrl & OPT_AUDIT ?
+ pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user %s", user) :
+ pam_syslog(pamh, LOG_ERR, "pam_get_uid; no such user");
+ return PAM_USER_UNKNOWN;
+ }
+
+ if ( uid ) *uid = pw->pw_uid;
+ if ( userp ) *userp = user;
+ return PAM_SUCCESS;
+}
+
+/*---------------------------------------------------------------------*/
+
+/* --- Support functions: set/get tally data --- */
+
+#ifndef MAIN
+
+struct tally_data {
+ time_t time;
+ int tfile;
+};
+
+static void
+_cleanup(pam_handle_t *pamh UNUSED, void *void_data, int error_status UNUSED)
+{
+ struct tally_data *data = void_data;
+ if (data->tfile != -1)
+ close(data->tfile);
+ free(data);
+}
+
+static void
+tally_set_data( pam_handle_t *pamh, time_t oldtime, int tfile )
+{
+ struct tally_data *data;
+
+ if ( (data=malloc(sizeof(*data))) != NULL ) {
+ data->time = oldtime;
+ data->tfile = tfile;
+ pam_set_data(pamh, MODULE_NAME, (void *)data, _cleanup);
+ }
+}
+
+static int
+tally_get_data( pam_handle_t *pamh, time_t *oldtime, int *tfile )
+{
+ int rv;
+ const void *void_data;
+ const struct tally_data *data;
+
+ rv = pam_get_data(pamh, MODULE_NAME, &void_data);
+ if ( rv == PAM_SUCCESS && void_data != NULL && oldtime != NULL ) {
+ data = void_data;
+ *oldtime = data->time;
+ *tfile = data->tfile;
+ }
+ else {
+ rv = -1;
+ *oldtime = 0;
+ }
+ return rv;
+}
+#endif /* #ifndef MAIN */
+
+/*---------------------------------------------------------------------*/
+
+/* --- Support function: open/create tallyfile and return tally for uid --- */
+
+/* If on entry tallyfile doesn't exist, creation is attempted. */
+
+static void
+alarm_handler(int sig UNUSED)
+{ /* we just need to ignore it */
+}
+
+static int
+get_tally(pam_handle_t *pamh, uid_t uid, const char *filename,
+ int *tfile, struct tallylog *tally, unsigned int ctrl)
+{
+ struct stat fileinfo;
+ int lstat_ret;
+ void *void_tally = tally;
+ int preopened = 0;
+
+ if (*tfile != -1) {
+ preopened = 1;
+ goto skip_open;
+ }
+
+ lstat_ret = lstat(filename, &fileinfo);
+ if (lstat_ret) {
+ *tfile=open(filename, O_APPEND|O_CREAT, 0700);
+ /* Create file, or append-open in pathological case. */
+ if (*tfile == -1) {
+#ifndef MAIN
+ if (errno == EACCES) {
+ return PAM_IGNORE; /* called with insufficient access rights */
+ }
+#endif
+ pam_syslog(pamh, LOG_ALERT, "Couldn't create %s: %m", filename);
+ return PAM_AUTH_ERR;
+ }
+ lstat_ret = fstat(*tfile, &fileinfo);
+ close(*tfile);
+ }
+
+ *tfile = -1;
+
+ if ( lstat_ret ) {
+ pam_syslog(pamh, LOG_ALERT, "Couldn't stat %s", filename);
+ return PAM_AUTH_ERR;
+ }
+
+ if ((fileinfo.st_mode & S_IWOTH) || !S_ISREG(fileinfo.st_mode)) {
+ /* If the file is world writable or is not a
+ normal file, return error */
+ pam_syslog(pamh, LOG_ALERT,
+ "%s is either world writable or not a normal file",
+ filename);
+ return PAM_AUTH_ERR;
+ }
+
+ if ((*tfile = open(filename, O_RDWR)) == -1) {
+#ifndef MAIN
+ if (errno == EACCES) /* called with insufficient access rights */
+ return PAM_IGNORE;
+#endif
+ pam_syslog(pamh, LOG_ALERT, "Error opening %s for update: %m", filename);
+
+ return PAM_AUTH_ERR;
+ }
+
+skip_open:
+ if (lseek(*tfile, (off_t)uid*(off_t)sizeof(*tally), SEEK_SET) == (off_t)-1) {
+ pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename);
+ if (!preopened) {
+ close(*tfile);
+ *tfile = -1;
+ }
+ return PAM_AUTH_ERR;
+ }
+
+ if (!preopened && (ctrl & OPT_SERIALIZE)) {
+ /* this code is not thread safe as it uses fcntl locks and alarm()
+ so never use serialize with multithreaded services */
+ struct sigaction newsa, oldsa;
+ unsigned int oldalarm;
+ int rv;
+
+ memset(&newsa, '\0', sizeof(newsa));
+ newsa.sa_handler = alarm_handler;
+ sigaction(SIGALRM, &newsa, &oldsa);
+ oldalarm = alarm(MAX_LOCK_WAITING_TIME);
+
+ rv = lockf(*tfile, F_LOCK, sizeof(*tally));
+ /* lock failure is not fatal, we attempt to read the tally anyway */
+
+ /* reinstate the eventual old alarm handler */
+ if (rv == -1 && errno == EINTR) {
+ if (oldalarm > MAX_LOCK_WAITING_TIME) {
+ oldalarm -= MAX_LOCK_WAITING_TIME;
+ } else if (oldalarm > 0) {
+ oldalarm = 1;
+ }
+ }
+ sigaction(SIGALRM, &oldsa, NULL);
+ alarm(oldalarm);
+ }
+
+ if (fileinfo.st_size < (off_t)(uid+1)*(off_t)sizeof(*tally)) {
+ memset(tally, 0, sizeof(*tally));
+ } else if (pam_modutil_read(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) {
+ memset(tally, 0, sizeof(*tally));
+ /* Shouldn't happen */
+ }
+
+ tally->fail_line[sizeof(tally->fail_line)-1] = '\0';
+
+ return PAM_SUCCESS;
+}
+
+/*---------------------------------------------------------------------*/
+
+/* --- Support function: update tallyfile with tally!=TALLY_HI --- */
+
+static int
+set_tally(pam_handle_t *pamh, uid_t uid,
+ const char *filename, int *tfile, struct tallylog *tally)
+{
+ void *void_tally = tally;
+ if (tally->fail_cnt != TALLY_HI) {
+ if (lseek(*tfile, (off_t)uid * sizeof(*tally), SEEK_SET) == (off_t)-1) {
+ pam_syslog(pamh, LOG_ALERT, "lseek failed for %s: %m", filename);
+ return PAM_AUTH_ERR;
+ }
+ if (pam_modutil_write(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) {
+ pam_syslog(pamh, LOG_ALERT, "update (write) failed for %s: %m", filename);
+ return PAM_AUTH_ERR;
+ }
+ }
+
+ if (fsync(*tfile)) {
+ pam_syslog(pamh, LOG_ALERT, "update (fsync) failed for %s: %m", filename);
+ return PAM_AUTH_ERR;
+ }
+ return PAM_SUCCESS;
+}
+
+/*---------------------------------------------------------------------*/
+
+/* --- PAM bits --- */
+
+#ifndef MAIN
+
+#define RETURN_ERROR(i) return ((opts->ctrl & OPT_FAIL_ON_ERROR)?(i):(PAM_SUCCESS))
+
+/*---------------------------------------------------------------------*/
+
+static int
+tally_check (tally_t oldcnt, time_t oldtime, pam_handle_t *pamh, uid_t uid,
+ const char *user, struct tally_options *opts,
+ struct tallylog *tally)
+{
+ int rv = PAM_SUCCESS;
+#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd = -1;
+#endif
+
+ if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
+ return PAM_SUCCESS;
+ }
+ /* magic_root skips tally check */
+#ifdef HAVE_LIBAUDIT
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+#endif
+ if (opts->deny != 0 && /* deny==0 means no deny */
+ tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
+ ((opts->ctrl & OPT_DENY_ROOT) || uid)) { /* even_deny stops uid check */
+#ifdef HAVE_LIBAUDIT
+ if (tally->fail_cnt == opts->deny+1) {
+ /* First say that max number was hit. */
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+ NULL, NULL, NULL, 1);
+ }
+#endif
+ if (uid) {
+ /* Unlock time check */
+ if (opts->unlock_time && oldtime) {
+ if (opts->unlock_time + oldtime <= time(NULL)) {
+ /* ignore deny check after unlock_time elapsed */
+#ifdef HAVE_LIBAUDIT
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+ NULL, NULL, NULL, 1);
+#endif
+ rv = PAM_SUCCESS;
+ goto cleanup;
+ }
+ }
+ } else {
+ /* Root unlock time check */
+ if (opts->root_unlock_time && oldtime) {
+ if (opts->root_unlock_time + oldtime <= time(NULL)) {
+ /* ignore deny check after unlock_time elapsed */
+#ifdef HAVE_LIBAUDIT
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+ NULL, NULL, NULL, 1);
+#endif
+ rv = PAM_SUCCESS;
+ goto cleanup;
+ }
+ }
+ }
+
+#ifdef HAVE_LIBAUDIT
+ if (tally->fail_cnt == opts->deny+1) {
+ /* First say that max number was hit. */
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+ NULL, NULL, NULL, 1);
+ }
+#endif
+
+ if (!(opts->ctrl & OPT_QUIET)) {
+ pam_info(pamh, _("Account locked due to %u failed logins"),
+ (unsigned int)tally->fail_cnt);
+ }
+ if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
+ pam_syslog(pamh, LOG_NOTICE,
+ "user %s (%lu) tally %hu, deny %hu",
+ user, (unsigned long)uid, tally->fail_cnt, opts->deny);
+ }
+ rv = PAM_AUTH_ERR; /* Only unconditional failure */
+ goto cleanup;
+ }
+
+ /* Lock time check */
+ if (opts->lock_time && oldtime) {
+ if (opts->lock_time + oldtime > time(NULL)) {
+ /* don't increase fail_cnt or update fail_time when
+ lock_time applies */
+ tally->fail_cnt = oldcnt;
+ tally->fail_time = oldtime;
+
+ if (!(opts->ctrl & OPT_QUIET)) {
+ pam_info(pamh, _("Account temporary locked (%ld seconds left)"),
+ oldtime+opts->lock_time-time(NULL));
+ }
+ if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
+ pam_syslog(pamh, LOG_NOTICE,
+ "user %s (%lu) has time limit [%lds left]"
+ " since last failure.",
+ user, (unsigned long)uid,
+ oldtime+opts->lock_time-time(NULL));
+ }
+ rv = PAM_AUTH_ERR;
+ goto cleanup;
+ }
+ }
+
+cleanup:
+#ifdef HAVE_LIBAUDIT
+ if (audit_fd != -1) {
+ close(audit_fd);
+ }
+#endif
+ return rv;
+}
+
+/* --- tally bump function: bump tally for uid by (signed) inc --- */
+
+static int
+tally_bump (int inc, time_t *oldtime, pam_handle_t *pamh,
+ uid_t uid, const char *user, struct tally_options *opts, int *tfile)
+{
+ struct tallylog tally;
+ tally_t oldcnt;
+ const void *remote_host = NULL;
+ int i, rv;
+
+ tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */
+
+ i = get_tally(pamh, uid, opts->filename, tfile, &tally, opts->ctrl);
+ if (i != PAM_SUCCESS) {
+ if (*tfile != -1) {
+ close(*tfile);
+ *tfile = -1;
+ }
+ RETURN_ERROR(i);
+ }
+
+ /* to remember old fail time (for locktime) */
+ if (oldtime) {
+ *oldtime = (time_t)tally.fail_time;
+ }
+
+ tally.fail_time = time(NULL);
+
+ (void) pam_get_item(pamh, PAM_RHOST, &remote_host);
+ if (!remote_host) {
+ (void) pam_get_item(pamh, PAM_TTY, &remote_host);
+ if (!remote_host) {
+ remote_host = "unknown";
+ }
+ }
+
+ strncpy(tally.fail_line, remote_host,
+ sizeof(tally.fail_line)-1);
+ tally.fail_line[sizeof(tally.fail_line)-1] = 0;
+
+ oldcnt = tally.fail_cnt;
+
+ if (!(opts->ctrl & OPT_MAGIC_ROOT) || getuid()) {
+ /* magic_root doesn't change tally */
+ tally.fail_cnt += inc;
+
+ if (tally.fail_cnt == TALLY_HI) { /* Overflow *and* underflow. :) */
+ tally.fail_cnt -= inc;
+ pam_syslog(pamh, LOG_ALERT, "Tally %sflowed for user %s",
+ (inc<0)?"under":"over",user);
+ }
+ }
+
+ rv = tally_check(oldcnt, *oldtime, pamh, uid, user, opts, &tally);
+
+ i = set_tally(pamh, uid, opts->filename, tfile, &tally);
+ if (i != PAM_SUCCESS) {
+ if (*tfile != -1) {
+ close(*tfile);
+ *tfile = -1;
+ }
+ if (rv == PAM_SUCCESS)
+ RETURN_ERROR( i );
+ /* fallthrough */
+ } else if (!(opts->ctrl & OPT_SERIALIZE)) {
+ close(*tfile);
+ *tfile = -1;
+ }
+
+ return rv;
+}
+
+static int
+tally_reset (pam_handle_t *pamh, uid_t uid, struct tally_options *opts, int old_tfile)
+{
+ struct tallylog tally;
+ int tfile = old_tfile;
+ int i;
+
+ /* resets only if not magic root */
+
+ if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
+ return PAM_SUCCESS;
+ }
+
+ tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */
+
+ i=get_tally(pamh, uid, opts->filename, &tfile, &tally, opts->ctrl);
+ if (i != PAM_SUCCESS) {
+ if (tfile != old_tfile) /* the descriptor is not owned by pam data */
+ close(tfile);
+ RETURN_ERROR(i);
+ }
+
+ memset(&tally, 0, sizeof(tally));
+
+ i=set_tally(pamh, uid, opts->filename, &tfile, &tally);
+ if (i != PAM_SUCCESS) {
+ if (tfile != old_tfile) /* the descriptor is not owned by pam data */
+ close(tfile);
+ RETURN_ERROR(i);
+ }
+
+ if (tfile != old_tfile)
+ close(tfile);
+
+ return PAM_SUCCESS;
+}
+
+/*---------------------------------------------------------------------*/
+
+/* --- authentication management functions (only) --- */
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
+ int argc, const char **argv)
+{
+ int
+ rv, tfile = -1;
+ time_t
+ oldtime = 0;
+ struct tally_options
+ options, *opts = &options;
+ uid_t
+ uid;
+ const char
+ *user;
+
+ rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv);
+ if (rv != PAM_SUCCESS)
+ RETURN_ERROR(rv);
+
+ if (flags & PAM_SILENT)
+ opts->ctrl |= OPT_QUIET;
+
+ rv = pam_get_uid(pamh, &uid, &user, opts);
+ if (rv != PAM_SUCCESS)
+ RETURN_ERROR(rv);
+
+ rv = tally_bump(1, &oldtime, pamh, uid, user, opts, &tfile);
+
+ tally_set_data(pamh, oldtime, tfile);
+
+ return rv;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags UNUSED,
+ int argc, const char **argv)
+{
+ int
+ rv, tfile = -1;
+ time_t
+ oldtime = 0;
+ struct tally_options
+ options, *opts = &options;
+ uid_t
+ uid;
+ const char
+ *user;
+
+ rv = tally_parse_args(pamh, opts, PHASE_AUTH, argc, argv);
+ if ( rv != PAM_SUCCESS )
+ RETURN_ERROR( rv );
+
+ rv = pam_get_uid(pamh, &uid, &user, opts);
+ if ( rv != PAM_SUCCESS )
+ RETURN_ERROR( rv );
+
+ if ( tally_get_data(pamh, &oldtime, &tfile) != 0 )
+ /* no data found */
+ return PAM_SUCCESS;
+
+ rv = tally_reset(pamh, uid, opts, tfile);
+
+ pam_set_data(pamh, MODULE_NAME, NULL, NULL);
+
+ return rv;
+}
+
+/*---------------------------------------------------------------------*/
+
+/* --- authentication management functions (only) --- */
+
+/* To reset failcount of user on successfull login */
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
+ int argc, const char **argv)
+{
+ int
+ rv, tfile = -1;
+ time_t
+ oldtime = 0;
+ struct tally_options
+ options, *opts = &options;
+ uid_t
+ uid;
+ const char
+ *user;
+
+ rv = tally_parse_args(pamh, opts, PHASE_ACCOUNT, argc, argv);
+ if ( rv != PAM_SUCCESS )
+ RETURN_ERROR( rv );
+
+ rv = pam_get_uid(pamh, &uid, &user, opts);
+ if ( rv != PAM_SUCCESS )
+ RETURN_ERROR( rv );
+
+ if ( tally_get_data(pamh, &oldtime, &tfile) != 0 )
+ /* no data found */
+ return PAM_SUCCESS;
+
+ rv = tally_reset(pamh, uid, opts, tfile);
+
+ pam_set_data(pamh, MODULE_NAME, NULL, NULL);
+
+ return rv;
+}
+
+/*-----------------------------------------------------------------------*/
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_tally_modstruct = {
+ MODULE_NAME,
+#ifdef PAM_SM_AUTH
+ pam_sm_authenticate,
+ pam_sm_setcred,
+#else
+ NULL,
+ NULL,
+#endif
+#ifdef PAM_SM_ACCOUNT
+ pam_sm_acct_mgmt,
+#else
+ NULL,
+#endif
+ NULL,
+ NULL,
+ NULL,
+};
+
+#endif /* #ifdef PAM_STATIC */
+
+/*-----------------------------------------------------------------------*/
+
+#else /* #ifndef MAIN */
+
+static const char *cline_filename = DEFAULT_LOGFILE;
+static tally_t cline_reset = TALLY_HI; /* Default is `interrogate only' */
+static int cline_quiet = 0;
+
+/*
+ * Not going to link with pamlib just for these.. :)
+ */
+
+static const char *
+pam_errors( int i )
+{
+ switch (i) {
+ case PAM_AUTH_ERR: return _("Authentication error");
+ case PAM_SERVICE_ERR: return _("Service error");
+ case PAM_USER_UNKNOWN: return _("Unknown user");
+ default: return _("Unknown error");
+ }
+}
+
+static int
+getopts( char **argv )
+{
+ const char *pname = *argv;
+ for ( ; *argv ; (void)(*argv && ++argv) ) {
+ if ( !strcmp (*argv,"--file") ) cline_filename=*++argv;
+ else if ( !strcmp(*argv,"-f") ) cline_filename=*++argv;
+ else if ( !strncmp(*argv,"--file=",7) ) cline_filename=*argv+7;
+ else if ( !strcmp (*argv,"--user") ) cline_user=*++argv;
+ else if ( !strcmp (*argv,"-u") ) cline_user=*++argv;
+ else if ( !strncmp(*argv,"--user=",7) ) cline_user=*argv+7;
+ else if ( !strcmp (*argv,"--reset") ) cline_reset=0;
+ else if ( !strcmp (*argv,"-r") ) cline_reset=0;
+ else if ( !strncmp(*argv,"--reset=",8)) {
+ if ( sscanf(*argv+8,"%hu",&cline_reset) != 1 )
+ fprintf(stderr,_("%s: Bad number given to --reset=\n"),pname), exit(0);
+ }
+ else if ( !strcmp (*argv,"--quiet") ) cline_quiet=1;
+ else {
+ fprintf(stderr,_("%s: Unrecognised option %s\n"),pname,*argv);
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
+static void
+print_one(const struct tallylog *tally, uid_t uid)
+{
+ static int once;
+ char *cp;
+ time_t fail_time;
+ struct tm *tm;
+ struct passwd *pwent;
+ const char *username = "[NONAME]";
+ char ptime[80];
+
+ pwent = getpwuid(uid);
+ fail_time = tally->fail_time;
+ tm = localtime(&fail_time);
+ strftime (ptime, sizeof (ptime), "%D %H:%M:%S", tm);
+ cp = ptime;
+ if (pwent) {
+ username = pwent->pw_name;
+ }
+ if (!once) {
+ printf (_("Login Failures Latest failure From\n"));
+ once++;
+ }
+ printf ("%-15.15s %5hu ", username, tally->fail_cnt);
+ if (tally->fail_time) {
+ printf ("%-17.17s %s", cp, tally->fail_line);
+ }
+ putchar ('\n');
+}
+
+int
+main( int argc UNUSED, char **argv )
+{
+ struct tallylog tally;
+
+ if ( ! getopts( argv+1 ) ) {
+ printf(_("%s: [-f rooted-filename] [--file rooted-filename]\n"
+ " [-u username] [--user username]\n"
+ " [-r] [--reset[=n]] [--quiet]\n"),
+ *argv);
+ exit(2);
+ }
+
+ umask(077);
+
+ /*
+ * Major difference between individual user and all users:
+ * --user just handles one user, just like PAM.
+ * without --user it handles all users, sniffing cline_filename for nonzeros
+ */
+
+ if ( cline_user ) {
+ uid_t uid;
+ int tfile = -1;
+ struct tally_options opts;
+ int i;
+
+ memset(&opts, 0, sizeof(opts));
+ opts.ctrl = OPT_AUDIT;
+ i=pam_get_uid(NULL, &uid, NULL, &opts);
+ if ( i != PAM_SUCCESS ) {
+ fprintf(stderr,"%s: %s\n",*argv,pam_errors(i));
+ exit(1);
+ }
+
+ i=get_tally(NULL, uid, cline_filename, &tfile, &tally, 0);
+ if ( i != PAM_SUCCESS ) {
+ if (tfile != -1)
+ close(tfile);
+ fprintf(stderr, "%s: %s\n", *argv, pam_errors(i));
+ exit(1);
+ }
+
+ if ( !cline_quiet )
+ print_one(&tally, uid);
+
+ if (cline_reset != TALLY_HI) {
+#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd = audit_open();
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+ buf, NULL, NULL, NULL, 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+#endif
+ if (cline_reset == 0) {
+ memset(&tally, 0, sizeof(tally));
+ } else {
+ tally.fail_cnt = cline_reset;
+ }
+ i=set_tally(NULL, uid, cline_filename, &tfile, &tally);
+ close(tfile);
+ if (i != PAM_SUCCESS) {
+ fprintf(stderr,"%s: %s\n",*argv,pam_errors(i));
+ exit(1);
+ }
+ } else {
+ close(tfile);
+ }
+ }
+ else /* !cline_user (ie, operate on all users) */ {
+ FILE *tfile=fopen(cline_filename, "r");
+ uid_t uid=0;
+ if (!tfile && cline_reset != 0) {
+ perror(*argv);
+ exit(1);
+ }
+
+ for ( ; tfile && !feof(tfile); uid++ ) {
+ if ( !fread(&tally, sizeof(tally), 1, tfile)
+ || !tally.fail_cnt ) {
+ continue;
+ }
+ print_one(&tally, uid);
+ }
+ if (tfile)
+ fclose(tfile);
+ if ( cline_reset!=0 && cline_reset!=TALLY_HI ) {
+ fprintf(stderr,_("%s: Can't reset all users to non-zero\n"),*argv);
+ }
+ else if ( !cline_reset ) {
+#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd = audit_open();
+ snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+ buf, NULL, NULL, NULL, 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+#endif
+ tfile=fopen(cline_filename, "w");
+ if ( !tfile ) perror(*argv), exit(0);
+ fclose(tfile);
+ }
+ }
+ return 0;
+}
+
+
+#endif /* #ifndef MAIN */
diff --git a/modules/pam_tally2/pam_tally2_app.c b/modules/pam_tally2/pam_tally2_app.c
new file mode 100644
index 00000000..681ed690
--- /dev/null
+++ b/modules/pam_tally2/pam_tally2_app.c
@@ -0,0 +1,7 @@
+/*
+ # This seemed like such a good idea at the time. :)
+ */
+
+#define MAIN
+#include "pam_tally2.c"
+
diff --git a/modules/pam_tally2/tallylog.h b/modules/pam_tally2/tallylog.h
new file mode 100644
index 00000000..596b1dac
--- /dev/null
+++ b/modules/pam_tally2/tallylog.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2006, Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Red Hat, Inc. nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY RED HAT, INC. AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * tallylog.h - login failure data file format
+ *
+ * The new login failure file is not compatible with the old faillog(8) format
+ * Each record in the file represents a separate UID and the file
+ * is indexed in that fashion.
+ */
+
+
+#ifndef _TALLYLOG_H
+#define _TALLYLOG_H
+
+#include <stdint.h>
+
+struct tallylog {
+ char fail_line[52]; /* rhost or tty of last failure */
+ uint16_t reserved; /* reserved for future use */
+ uint16_t fail_cnt; /* failures since last success */
+ uint64_t fail_time; /* time of last failure */
+};
+/* 64 bytes / entry */
+
+#endif
diff --git a/modules/pam_tally2/tst-pam_tally2 b/modules/pam_tally2/tst-pam_tally2
new file mode 100755
index 00000000..83c71f41
--- /dev/null
+++ b/modules/pam_tally2/tst-pam_tally2
@@ -0,0 +1,2 @@
+#!/bin/sh
+../../tests/tst-dlopen .libs/pam_tally2.so
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-27 20:04:17 +0000