From 791dec4305054de2a5f994a9a4e475079b7b7a9c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 17 Apr 2012 14:05:24 +0200 Subject: pam_lastlog: add possibility to lock out inactive users in auth or account * modules/pam_lastlog/pam_lastlog.8.xml: Document the new functionality and option. * modules/pam_lastlog/pam_lastlog.c: Add the inactive user lock out. (_pam_session_parse): Renamed from _pam_parse. (_pam_auth_parse): New function to parse auth arguments. (_last_login_open): Factor out opening of the lastlog file. (_last_login_read): Factor out opening of the lastlog file. (pam_sm_authenticate): Implement the lockout functionality. (pam_sm_setcred): Just return PAM_SUCCESS. (pam_sm_acct_mgmt): Call pam_sm_authenticate(). --- modules/pam_lastlog/pam_lastlog.8.xml | 53 ++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) (limited to 'modules/pam_lastlog/pam_lastlog.8.xml') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index 2a6794ad..ecac2664 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -45,6 +45,9 @@ showfailed + + inactive=<days> + @@ -165,13 +168,30 @@ + + + + + + + This option is specific for the auth or account phase. It + specifies the number of days after the last login of the user + when the user will be locked out by the module. The default + value is 90. + + + MODULE TYPES PROVIDED - Only the module type is provided. + The and module type + allows to lock out users which did not login recently enough. + The module type is provided for displaying + the information about the last login and/or updating the lastlog and + wtmp files. @@ -207,6 +227,27 @@ + + PAM_AUTH_ERR + + + User locked out in the auth or account phase due to + inactivity. + + + + + + PAM_IGNORE + + + There was an error during reading the lastlog file + in the auth or account phase and thus inactivity + of the user cannot be determined. + + + + @@ -220,6 +261,13 @@ session required pam_lastlog.so nowtmp + + To reject the user if he did not login during the previous 50 days + the following line can be used: + + + auth required pam_lastlog.so inactive=50 + @@ -254,6 +302,9 @@ pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. + + Inactive account lock out added by Tomáš Mráz <tm@t8m.info>. + -- cgit v1.2.3 From cf9c75be753a3c12fdecb9f4696b8ad1b28dd799 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 30 Apr 2012 14:46:48 +0200 Subject: pam_lastlog: Never lock out the root account. modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Return PAM_SUCCESS if uid==0. modules/pam_lastlog/pam_lastlog.8.xml: Improve documentation. --- modules/pam_lastlog/pam_lastlog.8.xml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'modules/pam_lastlog/pam_lastlog.8.xml') diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index ecac2664..77da9dbc 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -12,7 +12,7 @@ pam_lastlog - PAM module to display date of last login + PAM module to display date of last login and perform inactive account lock out @@ -64,6 +64,12 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. + + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. + -- cgit v1.2.3