pam/pam-1.1.1-faillock.patch

1715 lines
56 KiB
Diff
Raw Normal View History

diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200
@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
modules/pam_access/Makefile modules/pam_cracklib/Makefile \
modules/pam_debug/Makefile modules/pam_deny/Makefile \
modules/pam_echo/Makefile modules/pam_env/Makefile \
- modules/pam_faildelay/Makefile \
+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
modules/pam_ftp/Makefile modules/pam_group/Makefile \
modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200
+++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200
@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<section id='sag-pam_faillock'>
+ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
+ <cmdsynopsis>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
+ </cmdsynopsis>
+ <section id='sag-pam_faillock-description'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
+ </section>
+ <section id='sag-pam_faillock-options'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
+ </section>
+ <section id='sag-pam_faillock-types'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
+ </section>
+ <section id='sag-pam_faillock-return_values'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
+ </section>
+ <section id='sag-pam_faillock-examples'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
+ </section>
+ <section id='sag-pam_faillock-author'>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
+ </section>
+</section>
diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200
@@ -3,7 +3,7 @@
#
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
- pam_chroot pam_console pam_postgresok \
+ pam_chroot pam_console pam_postgresok pam_faillock \
pam_env pam_exec pam_faildelay pam_filter pam_ftp \
pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
pam_listfile pam_localuser pam_loginuid pam_mail \
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/file.h>
+#include <fcntl.h>
+#include <security/pam_modutil.h>
+
+#include "faillock.h"
+
+int
+open_tally (const char *dir, const char *user, int create)
+{
+ char *path;
+ int flags = O_RDWR;
+ int fd;
+
+ if (strstr(user, "../") != NULL)
+ /* just a defensive programming as the user must be a
+ * valid user on the system anyway
+ */
+ return -1;
+ path = malloc(strlen(dir) + strlen(user) + 2);
+ if (path == NULL)
+ return -1;
+
+ strcpy(path, dir);
+ if (*dir && dir[strlen(dir) - 1] != '/') {
+ strcat(path, "/");
+ }
+ strcat(path, user);
+
+ if (create) {
+ flags |= O_CREAT;
+ }
+
+ fd = open(path, flags, 0600);
+
+ if (fd != -1)
+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
+
+ return fd;
+}
+
+#define CHUNK_SIZE (64 * sizeof(struct tally))
+#define MAX_RECORDS 1024
+
+int
+read_tally(int fd, struct tally_data *tallies)
+{
+ void *data = NULL, *newdata;
+ unsigned int count = 0;
+ ssize_t chunk = 0;
+
+ do {
+ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE);
+ if (newdata == NULL) {
+ free(data);
+ return -1;
+ }
+
+ data = newdata;
+
+ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE);
+ if (chunk < 0) {
+ free(data);
+ return -1;
+ }
+
+ count += chunk/sizeof(struct tally);
+
+ if (count >= MAX_RECORDS)
+ break;
+ }
+ while (chunk == CHUNK_SIZE);
+
+ tallies->records = data;
+ tallies->count = count;
+
+ return 0;
+}
+
+int
+update_tally(int fd, struct tally_data *tallies)
+{
+ void *data = tallies->records;
+ unsigned int count = tallies->count;
+ ssize_t chunk;
+
+ if (tallies->count > MAX_RECORDS) {
+ data = tallies->records + (count - MAX_RECORDS);
+ count = MAX_RECORDS;
+ }
+
+ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
+ return -1;
+ }
+
+ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally));
+
+ if (chunk != (ssize_t)(count * sizeof(struct tally))) {
+ return -1;
+ }
+
+ if (ftruncate(fd, count * sizeof(struct tally)) == -1)
+ return -1;
+
+ return 0;
+}
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * faillock.h - authentication failure data file record structure
+ *
+ * Each record in the file represents an instance of login failure of
+ * the user at the recorded time
+ */
+
+
+#ifndef _FAILLOCK_H
+#define _FAILLOCK_H
+
+#include <stdint.h>
+
+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
+#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */
+
+struct tally {
+ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */
+ uint16_t reserved; /* reserved for future use */
+ uint16_t status; /* record status */
+ uint64_t time; /* time of the login failure */
+};
+/* 64 bytes per entry */
+
+struct tally_data {
+ struct tally *records; /* array of tallies */
+ unsigned int count; /* number of records */
+};
+
+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
+
+int open_tally(const char *dir, const char *user, int create);
+int read_tally(int fd, struct tally_data *tallies);
+int update_tally(int fd, struct tally_data *tallies);
+#endif
+
diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="faillock">
+
+ <refmeta>
+ <refentrytitle>faillock</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_faillock-name">
+ <refname>faillock</refname>
+ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="faillock-cmdsynopsis">
+ <command>faillock</command>
+ <arg choice="opt">
+ --dir <replaceable>/path/to/tally-directory</replaceable>
+ </arg>
+ <arg choice="opt">
+ --user <replaceable>username</replaceable>
+ </arg>
+ <arg choice="opt">
+ --reset
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="faillock-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ The <emphasis>pam_faillock.so</emphasis> module maintains a list of
+ failed authentication attempts per user during a specified interval
+ and locks the account in case there were more than
+ <replaceable>deny</replaceable> consecutive failed authentications.
+ It stores the failure records into per-user files in the tally
+ directory.
+ </para>
+ <para>
+ The <command>faillock</command> command is an application which
+ can be used to examine and modify the contents of the
+ the tally files. It can display the recent failed authentication
+ attempts of the <replaceable>username</replaceable> or clear the tally
+ files of all or individual <replaceable>usernames</replaceable>.
+ </para>
+ </refsect1>
+
+ <refsect1 id="faillock-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The directory where the user files with the failure records are kept. The
+ default is <filename>/var/run/faillock</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>--user <replaceable>username</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The user whose failure records should be displayed or cleared.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>--reset</option>
+ </term>
+ <listitem>
+ <para>
+ Instead of displaying the user's failure records, clear them.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="faillock-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/var/run/faillock/*</filename></term>
+ <listitem>
+ <para>the files logging the authentication failures for users</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='faillock-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='faillock-author'>
+ <title>AUTHOR</title>
+ <para>
+ faillock was written by Tomas Mraz.
+ </para>
+ </refsect1>
+
+</refentry>
diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200
2013-10-14 15:36:01 +00:00
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <dirent.h>
+#include <errno.h>
+#include <pwd.h>
+#include <time.h>
2013-10-14 15:36:01 +00:00
+#include <sys/types.h>
+#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
+
+#include "faillock.h"
+
+struct options {
+ unsigned int reset;
+ const char *dir;
+ const char *user;
+ const char *progname;
+};
+
+static int
+args_parse(int argc, char **argv, struct options *opts)
+{
+ int i;
+ memset(opts, 0, sizeof(*opts));
+
+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
+ opts->progname = argv[0];
+
+ for (i = 1; i < argc; ++i) {
+
+ if (strcmp(argv[i], "--dir") == 0) {
+ ++i;
+ if (i >= argc || strlen(argv[i]) == 0) {
+ fprintf(stderr, "%s: No directory supplied.\n", argv[0]);
+ return -1;
+ }
+ opts->dir = argv[i];
+ }
+ else if (strcmp(argv[i], "--user") == 0) {
+ ++i;
+ if (i >= argc || strlen(argv[i]) == 0) {
+ fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
+ return -1;
+ }
+ opts->user = argv[i];
+ }
+ else if (strcmp(argv[i], "--reset") == 0) {
+ opts->reset = 1;
+ }
+ else {
+ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]);
+ return -1;
+ }
+ }
+ return 0;
+}
+
+static void
+usage(const char *progname)
+{
+ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"),
+ progname);
+}
+
+static int
+do_user(struct options *opts, const char *user)
+{
+ int fd;
+ int rv;
+ struct tally_data tallies;
+
+ fd = open_tally(opts->dir, user, 0);
+
+ if (fd == -1) {
+ if (errno == ENOENT) {
+ return 0;
+ }
+ else {
+ fprintf(stderr, "%s: Error opening the tally file for %s:",
+ opts->progname, user);
+ perror(NULL);
+ return 3;
+ }
+ }
+ if (opts->reset) {
+#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd;
+#endif
+
+ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR);
+ if (rv == -1) {
+ fprintf(stderr, "%s: Error clearing the tally file for %s:",
+ opts->progname, user);
+ perror(NULL);
+#ifdef HAVE_LIBAUDIT
+ }
+ if ((audit_fd=audit_open()) >= 0) {
+ struct passwd *pwd;
+
+ if ((pwd=getpwnam(user)) != NULL) {
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
+ pwd->pw_uid);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+ buf, NULL, NULL, NULL, rv == 0);
+ }
+ close(audit_fd);
+ }
+ if (rv == -1) {
+#endif
+ close(fd);
+ return 4;
+ }
+ }
+ else {
+ unsigned int i;
+
+ memset(&tallies, 0, sizeof(tallies));
+ if ((rv=read_tally(fd, &tallies)) == -1) {
+ fprintf(stderr, "%s: Error reading the tally file for %s:",
+ opts->progname, user);
+ perror(NULL);
+ close(fd);
+ return 5;
+ }
+
+ printf("%s:\n", user);
+ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid");
+
+ for (i = 0; i < tallies.count; i++) {
+ struct tm *tm;
+ char timebuf[80];
+ uint16_t status = tallies.records[i].status;
+ time_t when = tallies.records[i].time;
+
+ tm = localtime(&when);
+ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm);
+ printf("%-19s %-5s %-52.52s %s\n", timebuf,
+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
+ }
+ free(tallies.records);
+ }
+ close(fd);
+ return 0;
+}
+
+static int
+do_allusers(struct options *opts)
+{
+ struct dirent **userlist;
+ int rv, i;
+
+ rv = scandir(opts->dir, &userlist, NULL, alphasort);
+ if (rv < 0) {
+ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);
+ perror(NULL);
+ return 2;
+ }
+
+ for (i = 0; i < rv; i++) {
+ if (userlist[i]->d_name[0] == '.') {
+ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') ||
+ userlist[i]->d_name[1] == '\0')
+ continue;
+ }
+ do_user(opts, userlist[i]->d_name);
+ free(userlist[i]);
+ }
+ free(userlist);
+
+ return 0;
+}
+
+
+/*-----------------------------------------------------------------------*/
+int
+main (int argc, char *argv[])
+{
+ struct options opts;
+
+ if (args_parse(argc, argv, &opts)) {
+ usage(argv[0]);
+ return 1;
+ }
+
+ if (opts.user == NULL) {
+ return do_allusers(&opts);
+ }
+
+ return do_user(&opts, opts.user);
+}
+
diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,43 @@
+#
+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
+# Copyright (c) 2008 Red Hat, Inc.
+# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+#
+
+CLEANFILES = *~
+MAINTAINERCLEANFILES = $(MANS) README
+
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock
+
+man_MANS = pam_faillock.8 faillock.8
+XMLS = README.xml pam_faillock.8.xml faillock.8.xml
+
+TESTS = tst-pam_faillock
+
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+
+noinst_HEADERS = faillock.h
+
+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+
+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+if HAVE_VERSIONING
+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif
+
+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+
+securelib_LTLIBRARIES = pam_faillock.la
+sbin_PROGRAMS = faillock
+
+pam_faillock_la_SOURCES = pam_faillock.c faillock.c
+faillock_SOURCES = main.c faillock.c
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_faillock.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,550 @@
+/*
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <time.h>
+#include <pwd.h>
+#include <syslog.h>
+
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
+
+#include <security/pam_modules.h>
+#include <security/pam_modutil.h>
+#include <security/pam_ext.h>
+
+#include "faillock.h"
+
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+
+#define FAILLOCK_ACTION_PREAUTH 0
+#define FAILLOCK_ACTION_AUTHSUCC 1
+#define FAILLOCK_ACTION_AUTHFAIL 2
+
+#define FAILLOCK_FLAG_DENY_ROOT 0x1
+#define FAILLOCK_FLAG_AUDIT 0x2
+#define FAILLOCK_FLAG_SILENT 0x4
+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
+#define FAILLOCK_FLAG_UNLOCKED 0x10
+
+#define MAX_TIME_INTERVAL 604800 /* 7 days */
+
+struct options {
+ unsigned int action;
+ unsigned int flags;
+ unsigned short deny;
+ unsigned int fail_interval;
+ unsigned int unlock_time;
+ unsigned int root_unlock_time;
+ const char *dir;
+ const char *user;
+ int failures;
+ uint64_t latest_time;
+ uid_t uid;
+ uint64_t now;
+};
+
+static void
+args_parse(pam_handle_t *pamh, int argc, const char **argv,
+ int flags, struct options *opts)
+{
+ int i;
+ memset(opts, 0, sizeof(*opts));
+
+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
+ opts->deny = 3;
+ opts->fail_interval = 900;
+ opts->unlock_time = 600;
+ opts->root_unlock_time = MAX_TIME_INTERVAL+1;
+
+ for (i = 0; i < argc; ++i) {
+
+ if (strncmp(argv[i], "dir=", 4) == 0) {
+ if (argv[i][4] != '/') {
+ pam_syslog(pamh, LOG_ERR,
+ "Tally directory is not absolute path (%s); keeping default", argv[i]);
+ } else {
+ opts->dir = argv[i]+4;
+ }
+ }
+ else if (strncmp(argv[i], "deny=", 5) == 0) {
+ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for deny argument");
+ }
+ }
+ else if (strncmp(argv[i], "fail_interval=", 14) == 0) {
+ unsigned int temp;
+ if (sscanf(argv[i]+14, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for fail_interval argument");
+ } else {
+ opts->fail_interval = temp;
+ }
+ }
+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
+ unsigned int temp;
+ if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for unlock_time argument");
+ } else {
+ opts->unlock_time = temp;
+ }
+ }
+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
+ unsigned int temp;
+ if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for root_unlock_time argument");
+ } else {
+ opts->root_unlock_time = temp;
+ }
+ }
+ else if (strcmp(argv[i], "preauth") == 0) {
+ opts->action = FAILLOCK_ACTION_PREAUTH;
+ }
+ else if (strcmp(argv[i], "authfail") == 0) {
+ opts->action = FAILLOCK_ACTION_AUTHFAIL;
+ }
+ else if (strcmp(argv[i], "authsucc") == 0) {
+ opts->action = FAILLOCK_ACTION_AUTHSUCC;
+ }
+ else if (strcmp(argv[i], "even_deny_root") == 0) {
+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
+ }
+ else if (strcmp(argv[i], "audit") == 0) {
+ opts->flags |= FAILLOCK_FLAG_AUDIT;
+ }
+ else if (strcmp(argv[i], "silent") == 0) {
+ opts->flags |= FAILLOCK_FLAG_SILENT;
+ }
+ else if (strcmp(argv[i], "no_log_info") == 0) {
+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
+ }
+ else {
+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]);
+ }
+ }
+
+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
+ opts->root_unlock_time = opts->unlock_time;
+ if (flags & PAM_SILENT)
+ opts->flags |= FAILLOCK_FLAG_SILENT;
+}
+
+static int get_pam_user(pam_handle_t *pamh, struct options *opts)
+{
+ const char *user;
+ int rv;
+ struct passwd *pwd;
+
+ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+ return rv;
+ }
+
+ if (*user == '\0') {
+ return PAM_IGNORE;
+ }
+
+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
+ if (opts->flags & FAILLOCK_FLAG_AUDIT) {
+ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user);
+ }
+ else {
+ pam_syslog(pamh, LOG_ERR, "User unknown");
+ }
+ return PAM_IGNORE;
+ }
+ opts->user = user;
+ opts->uid = pwd->pw_uid;
+ return PAM_SUCCESS;
+}
+
+static int
+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
+{
+ int tfd;
+ unsigned int i;
+ uint64_t latest_time;
+ int failures;
+
+ opts->now = time(NULL);
+
+ tfd = open_tally(opts->dir, opts->user, 0);
+
+ *fd = tfd;
+
+ if (tfd == -1) {
+ if (errno == EACCES || errno == ENOENT) {
+ return PAM_SUCCESS;
+ }
+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
+ return PAM_SYSTEM_ERR;
+ }
+
+ if (read_tally(tfd, tallies) != 0) {
+ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user);
+ return PAM_SYSTEM_ERR;
+ }
+
+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ return PAM_SUCCESS;
+ }
+
+ latest_time = 0;
+ for(i = 0; i < tallies->count; i++) {
+ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
+ tallies->records[i].time > latest_time)
+ latest_time = tallies->records[i].time;
+ }
+
+ opts->latest_time = latest_time;
+
+ failures = 0;
+ for(i = 0; i < tallies->count; i++) {
+ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
+ latest_time - tallies->records[i].time < opts->fail_interval) {
+ ++failures;
+ }
+ }
+
+ opts->failures = failures;
+
+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ return PAM_SUCCESS;
+ }
+
+ if (opts->deny && failures >= opts->deny) {
+ if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
+ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
+#ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64];
+ int audit_fd;
+
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+ NULL, NULL, NULL, 1);
+ }
+#endif
+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
+ return PAM_SUCCESS;
+ }
+ return PAM_AUTH_ERR;
+ }
+ return PAM_SUCCESS;
+}
+
+static void
+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
+{
+ int rv;
+
+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
+ if (rv == -1) {
+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
+ }
+}
+
+static int
+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
+{
+ struct tally *records;
+ unsigned int i;
+ int failures;
+ unsigned int oldest;
+ uint64_t oldtime;
+ const void *source = NULL;
+
+ if (*fd == -1) {
+ *fd = open_tally(opts->dir, opts->user, 1);
+ }
+ if (*fd == -1) {
+ if (errno == EACCES) {
+ return PAM_SUCCESS;
+ }
+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
+ return PAM_SYSTEM_ERR;
+ }
+
+ oldtime = 0;
+ oldest = 0;
+ failures = 0;
+
+ for (i = 0; i < tallies->count; ++i) {
+ if (tallies->records[i].time < oldtime) {
+ oldtime = tallies->records[i].time;
+ oldest = i;
+ }
+ if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
+ opts->now - tallies->records[i].time >= opts->fail_interval ) {
+ tallies->records[i].status &= ~TALLY_STATUS_VALID;
+ } else {
+ ++failures;
+ }
+ }
+
+ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) {
+ oldest = tallies->count;
+
+ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) {
+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m");
+ return PAM_BUF_ERR;
+ }
+
+ ++tallies->count;
+ tallies->records = records;
+ }
+
+ memset(&tallies->records[oldest], 0, sizeof (*tallies->records));
+
+ tallies->records[oldest].status = TALLY_STATUS_VALID;
+ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) {
+ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) {
+ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) {
+ source = "";
+ }
+ }
+ else {
+ tallies->records[oldest].status |= TALLY_STATUS_TTY;
+ }
+ }
+ else {
+ tallies->records[oldest].status |= TALLY_STATUS_RHOST;
+ }
+
+ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source));
+ /* source does not have to be null terminated */
+
+ tallies->records[oldest].time = opts->now;
+
+ ++failures;
+
+ if (opts->deny && failures == opts->deny) {
+#ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd;
+
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+ NULL, NULL, NULL, 1);
+
+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+ NULL, NULL, NULL, 1);
+ }
+ close(audit_fd);
+#endif
+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
+ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
+ opts->user);
+ }
+ }
+
+ if (update_tally(*fd, tallies) == 0)
+ return PAM_SUCCESS;
+
+ return PAM_SYSTEM_ERR;
+}
+
+static void
+faillock_message(pam_handle_t *pamh, struct options *opts)
+{
+ int64_t left;
+
+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
+ if (opts->uid) {
+ left = opts->latest_time + opts->unlock_time - opts->now;
+ }
+ else {
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
+ }
+
+ left /= 60; /* minutes */
+
+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
+ opts->failures);
+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
+ }
+}
+
+static void
+tally_cleanup(struct tally_data *tallies, int fd)
+{
+ if (fd != -1) {
+ close(fd);
+ }
+
+ free(tallies->records);
+}
+
+/*---------------------------------------------------------------------*/
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ struct options opts;
+ int rv, fd = -1;
+ struct tally_data tallies;
+
+ memset(&tallies, 0, sizeof(tallies));
+
+ args_parse(pamh, argc, argv, flags, &opts);
+
+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
+
+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
+ return rv;
+ }
+
+ switch (opts.action) {
+ case FAILLOCK_ACTION_PREAUTH:
+ rv = check_tally(pamh, &opts, &tallies, &fd);
+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
+ faillock_message(pamh, &opts);
+ }
+ break;
+
+ case FAILLOCK_ACTION_AUTHSUCC:
+ rv = check_tally(pamh, &opts, &tallies, &fd);
+ if (rv == PAM_SUCCESS && fd != -1) {
+ reset_tally(pamh, &opts, &fd);
+ }
+ break;
+
+ case FAILLOCK_ACTION_AUTHFAIL:
+ rv = check_tally(pamh, &opts, &tallies, &fd);
+ if (rv == PAM_SUCCESS) {
+ rv = PAM_IGNORE; /* this return value should be ignored */
+ write_tally(pamh, &opts, &tallies, &fd);
+ }
+ break;
+ }
+
+ tally_cleanup(&tallies, fd);
+
+ return rv;
+}
+
+/*---------------------------------------------------------------------*/
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
+ int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
+
+/*---------------------------------------------------------------------*/
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ struct options opts;
+ int rv, fd = -1;
+ struct tally_data tallies;
+
+ memset(&tallies, 0, sizeof(tallies));
+
+ args_parse(pamh, argc, argv, flags, &opts);
+
+ opts.action = FAILLOCK_ACTION_AUTHSUCC;
+
+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
+ return rv;
+ }
+
+ check_tally(pamh, &opts, &tallies, &fd);
+ if (fd != -1) {
+ reset_tally(pamh, &opts, &fd);
+ }
+
+ tally_cleanup(&tallies, fd);
+
+ return PAM_SUCCESS;
+}
+
+/*-----------------------------------------------------------------------*/
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_faillock_modstruct = {
+ MODULE_NAME,
+#ifdef PAM_SM_AUTH
+ pam_sm_authenticate,
+ pam_sm_setcred,
+#else
+ NULL,
+ NULL,
+#endif
+#ifdef PAM_SM_ACCOUNT
+ pam_sm_acct_mgmt,
+#else
+ NULL,
+#endif
+ NULL,
+ NULL,
+ NULL,
+};
+
+#endif /* #ifdef PAM_STATIC */
+
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,396 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_faillock">
+
+ <refmeta>
+ <refentrytitle>pam_faillock</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_faillock-name">
+ <refname>pam_faillock</refname>
+ <refpurpose>Module counting authentication failures during a specified interval</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_faillock-cmdsynopsisauth">
+ <command>auth ... pam_faillock.so</command>
+ <arg choice="req">
+ preauth|authfail|authsucc
+ </arg>
+ <arg choice="opt">
+ dir=<replaceable>/path/to/tally-directory</replaceable>
+ </arg>
+ <arg choice="opt">
+ even_deny_root
+ </arg>
+ <arg choice="opt">
+ deny=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ fail_interval=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ unlock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ root_unlock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
+ audit
+ </arg>
+ <arg choice="opt">
+ silent
+ </arg>
+ <arg choice="opt">
+ no_log_info
+ </arg>
+ </cmdsynopsis>
+ <cmdsynopsis id="pam_faillock-cmdsynopsisacct">
+ <command>account ... pam_faillock.so</command>
+ <arg choice="opt">
+ dir=<replaceable>/path/to/tally-directory</replaceable>
+ </arg>
+ <arg choice="opt">
+ no_log_info
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_faillock-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ This module maintains a list of failed authentication attempts per
+ user during a specified interval and locks the account in case
+ there were more than <replaceable>deny</replaceable> consecutive
+ failed authentications.
+ </para>
+ <para>
+ Normally, failed attempts to authenticate <emphasis>root</emphasis> will
+ <emphasis remap='B'>not</emphasis> cause the root account to become
+ blocked, to prevent denial-of-service: if your users aren't given
+ shell accounts and root may only login via <command>su</command> or
+ at the machine console (not telnet/rsh, etc), this is safe.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_faillock-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>{preauth|authfail|authsucc}</option>
+ </term>
+ <listitem>
+ <para>
+ This argument must be set accordingly to the position of this module
+ instance in the PAM stack.
+ </para>
+ <para>
+ The <emphasis>preauth</emphasis> argument must be used when the module
+ is called before the modules which ask for the user credentials such
+ as the password. The module just examines whether the user should
+ be blocked from accessing the service in case there were anomalous
+ number of failed consecutive authentication attempts recently. This
+ call is optional if <emphasis>authsucc</emphasis> is used.
+ </para>
+ <para>
+ The <emphasis>authfail</emphasis> argument must be used when the module
+ is called after the modules which determine the authentication outcome,
+ failed. Unless the user is already blocked due to previous authentication
+ failures, the module will record the failure into the appropriate user
+ tally file.
+ </para>
+ <para>
+ The <emphasis>authsucc</emphasis> argument must be used when the module
+ is called after the modules which determine the authentication outcome,
+ succeded. Unless the user is already blocked due to previous authentication
+ failures, the module will then clear the record of the failures in the
+ respective user tally file. Otherwise it will return authentication error.
+ If this call is not done, the pam_faillock will not distinguish between
+ consecutive and non-consecutive failed authentication attempts. The
+ <emphasis>preauth</emphasis> call must be used in such case. Due to
+ complications in the way the PAM stack can be configured it is also
+ possible to call <emphasis>pam_faillock</emphasis> as an account module.
+ In such configuration the module must be also called in the
+ <emphasis>preauth</emphasis> stage.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The directory where the user files with the failure records are kept. The
+ default is <filename>/var/run/faillock</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>audit</option>
+ </term>
+ <listitem>
+ <para>
+ Will log the user name into the system log if the user is not found.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>silent</option>
+ </term>
+ <listitem>
+ <para>
+ Don't print informative messages. This option is implicite
+ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>
+ functions.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>no_log_info</option>
+ </term>
+ <listitem>
+ <para>
+ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>deny=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Deny access if the number of consecutive authentication failures
+ for this user during the recent interval exceeds
+ <replaceable>n</replaceable>. The default is 3.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>fail_interval=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The length of the interval during which the consecutive
+ authentication failures must happen for the user account
+ lock out is <replaceable>n</replaceable> seconds.
+ The default is 900 (15 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>unlock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ The access will be reenabled after
+ <replaceable>n</replaceable> seconds after the lock out.
+ The default is 600 (10 minutes).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>even_deny_root</option>
+ </term>
+ <listitem>
+ <para>
+ Root account can become locked as well as regular accounts.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>root_unlock_time=<replaceable>n</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ This option implies <option>even_deny_root</option> option.
+ Allow access after <replaceable>n</replaceable> seconds
+ to root account after the account is locked. In case the
+ option is not specified the value is the same as of the
+ <option>unlock_time</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_faillock-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ The <option>auth</option> and <option>account</option> module types are
+ provided.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_faillock-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ A invalid option was given, the module was not able
+ to retrieve the user name, no valid counter file
+ was found, or too many failed logins.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Everything was successful.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ User not present in passwd database.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_faillock-notes'>
+ <title>NOTES</title>
+ <para>
+ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different
+ from the <emphasis>pam_tally2</emphasis> module setup.
+ </para>
+ <para>
+ There is no setuid wrapper for access to the data file such as when the
+ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
+ a screensaver. As this would make it impossible to share PAM configuration
+ with such services the following workaround is used: If the data file
+ cannot be opened because of insufficient permissions
+ (<errorcode>EACCES</errorcode>) the module returns
+ <errorcode>PAM_SUCCESS</errorcode>.
+ </para>
+ <para>
+ Note that using the module in <option>preauth</option> without the
+ <option>silent</option> option or with <emphasis>requisite</emphasis>
+ control field leaks an information about existence or
+ non-existence of an user account in the system because
+ the failures are not recorded for the unknown users. The message
+ about the user account being locked is never displayed for nonexisting
+ user accounts allowing the adversary to infer that a particular account
+ is not existing on a system.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_faillock-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>.
+ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive
+ failed logins during the default interval of 15 minutes. Root account will be locked
+ as well. The accounts will be automatically unlocked after 20 minutes.
+ </para>
+ <para>
+ In the first example the module is called only in the <emphasis>auth</emphasis>
+ phase and the module does not print any information about the account blocking
+ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can
+ be added to tell the user that his login is blocked by the module and also to abort
+ the authentication without even asking for password in such case.
+ </para>
+ <programlisting>
+auth required pam_securetty.so
+auth required pam_env.so
+auth required pam_nologin.so
+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
+# to display the message about account being locked
+auth [success=1 default=bad] pam_unix.so
+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
+auth required pam_deny.so
+account required pam_unix.so
+password required pam_unix.so shadow
+session required pam_selinux.so close
+session required pam_loginuid.so
+session required pam_unix.so
+session required pam_selinux.so open
+ </programlisting>
+ <para>
+ In the second example the module is called both in the <emphasis>auth</emphasis>
+ and <emphasis>account</emphasis> phases and the module gives the authenticating
+ user message when the account is locked
+ </para>
+ <programlisting>
+auth required pam_securetty.so
+auth required pam_env.so
+auth required pam_nologin.so
+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200
+# optionally use requisite above if you do not want to prompt for the password
+# on locked accounts, possibly with removing the silent option as well
+auth sufficient pam_unix.so
+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
+auth required pam_deny.so
+account required pam_faillock.so
+# if you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures
+account required pam_unix.so
+password required pam_unix.so shadow
+session required pam_selinux.so close
+session required pam_loginuid.so
+session required pam_unix.so
+session required pam_selinux.so open
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="pam_faillock-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/var/run/faillock/*</filename></term>
+ <listitem>
+ <para>the files logging the authentication failures for users</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_faillock-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_faillock-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_faillock was written by Tomas Mraz.
+ </para>
+ </refsect1>
+
+</refentry>
diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
+ </section>
+
+</article>
diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200
+++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200
@@ -0,0 +1,2 @@
+#!/bin/sh
+../../tests/tst-dlopen .libs/pam_faillock.so