diff -up Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml.inactive Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml
--- Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml.inactive 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.8.xml 2012-05-09 11:35:42.810209582 +0200
@@ -12,7 +12,7 @@
pam_lastlog
- PAM module to display date of last login
+ PAM module to display date of last login and perform inactive account lock out
@@ -45,6 +45,9 @@
showfailed
+
+ inactive=<days>
+
@@ -61,6 +64,12 @@
Some applications may perform this function themselves. In such
cases, this module is not necessary.
+
+ If the module is called in the auth or account phase, the accounts that
+ were not used recently enough will be disallowed to log in. The
+ check is not performed for the root account so the root is never
+ locked out.
+
@@ -165,13 +174,30 @@
+
+
+
+
+
+
+ This option is specific for the auth or account phase. It
+ specifies the number of days after the last login of the user
+ when the user will be locked out by the module. The default
+ value is 90.
+
+
+
MODULE TYPES PROVIDED
- Only the module type is provided.
+ The and module type
+ allows to lock out users which did not login recently enough.
+ The module type is provided for displaying
+ the information about the last login and/or updating the lastlog and
+ wtmp files.
@@ -207,6 +233,27 @@
+
+ PAM_AUTH_ERR
+
+
+ User locked out in the auth or account phase due to
+ inactivity.
+
+
+
+
+
+ PAM_IGNORE
+
+
+ There was an error during reading the lastlog file
+ in the auth or account phase and thus inactivity
+ of the user cannot be determined.
+
+
+
+
@@ -220,6 +267,13 @@
session required pam_lastlog.so nowtmp
+
+ To reject the user if he did not login during the previous 50 days
+ the following line can be used:
+
+
+ auth required pam_lastlog.so inactive=50
+
@@ -254,6 +308,9 @@
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
+
+ Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
+
diff -up Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c.inactive Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c
--- Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c.inactive 2011-06-21 11:04:56.000000000 +0200
+++ Linux-PAM-1.1.5/modules/pam_lastlog/pam_lastlog.c 2012-05-09 11:35:22.363759805 +0200
@@ -56,6 +56,9 @@ struct lastlog {
#define DEFAULT_HOST "" /* "[no.where]" */
#define DEFAULT_TERM "" /* "tt???" */
+#define DEFAULT_INACTIVE_DAYS 90
+#define MAX_INACTIVE_DAYS 100000
+
/*
* here, we make a definition for the externally accessible function
* in this file (this definition is required for static a module
@@ -64,6 +67,8 @@ struct lastlog {
*/
#define PAM_SM_SESSION
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
#include
#include
@@ -83,7 +88,45 @@ struct lastlog {
#define LASTLOG_UPDATE 0400 /* update the lastlog and wtmp files (default) */
static int
-_pam_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
+_pam_auth_parse(pam_handle_t *pamh, int flags, int argc, const char **argv,
+ time_t *inactive)
+{
+ int ctrl = 0;
+
+ *inactive = DEFAULT_INACTIVE_DAYS;
+
+ /* does the appliction require quiet? */
+ if (flags & PAM_SILENT) {
+ ctrl |= LASTLOG_QUIET;
+ }
+
+ /* step through arguments */
+ for (; argc-- > 0; ++argv) {
+ char *ep = NULL;
+ long l;
+
+ if (!strcmp(*argv,"debug")) {
+ ctrl |= LASTLOG_DEBUG;
+ } else if (!strcmp(*argv,"silent")) {
+ ctrl |= LASTLOG_QUIET;
+ } else if (!strncmp(*argv,"inactive=", 9)) {
+ l = strtol(*argv+9, &ep, 10);
+ if (ep != *argv+9 && l > 0 && l < MAX_INACTIVE_DAYS)
+ *inactive = l;
+ else {
+ pam_syslog(pamh, LOG_ERR, "bad option value: %s", *argv);
+ }
+ } else {
+ pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
+ }
+ }
+
+ D(("ctrl = %o", ctrl));
+ return ctrl;
+}
+
+static int
+_pam_session_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int ctrl=(LASTLOG_DATE|LASTLOG_HOST|LASTLOG_LINE|LASTLOG_WTMP|LASTLOG_UPDATE);
@@ -145,6 +188,44 @@ get_tty(pam_handle_t *pamh)
}
static int
+last_login_open(pam_handle_t *pamh, int announce, uid_t uid)
+{
+ int last_fd;
+
+ /* obtain the last login date and all the relevant info */
+ last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY);
+ if (last_fd < 0) {
+ if (errno == ENOENT && (announce & LASTLOG_UPDATE)) {
+ last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT,
+ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ if (last_fd < 0) {
+ pam_syslog(pamh, LOG_ERR,
+ "unable to create %s: %m", _PATH_LASTLOG);
+ D(("unable to create %s file", _PATH_LASTLOG));
+ return -1;
+ }
+ pam_syslog(pamh, LOG_WARNING,
+ "file %s created", _PATH_LASTLOG);
+ D(("file %s created", _PATH_LASTLOG));
+ } else {
+ pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG);
+ D(("unable to open %s file", _PATH_LASTLOG));
+ return -1;
+ }
+ }
+
+ if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) {
+ pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG);
+ D(("unable to lseek %s file", _PATH_LASTLOG));
+ close(last_fd);
+ return -1;
+ }
+
+ return last_fd;
+}
+
+
+static int
last_login_read(pam_handle_t *pamh, int announce, int last_fd, uid_t uid, time_t *lltime)
{
struct flock last_lock;
@@ -338,31 +419,9 @@ last_login_date(pam_handle_t *pamh, int
int last_fd;
/* obtain the last login date and all the relevant info */
- last_fd = open(_PATH_LASTLOG, announce&LASTLOG_UPDATE ? O_RDWR : O_RDONLY);
+ last_fd = last_login_open(pamh, announce, uid);
if (last_fd < 0) {
- if (errno == ENOENT) {
- last_fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT,
- S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- if (last_fd < 0) {
- pam_syslog(pamh, LOG_ERR,
- "unable to create %s: %m", _PATH_LASTLOG);
- D(("unable to create %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
- pam_syslog(pamh, LOG_WARNING,
- "file %s created", _PATH_LASTLOG);
- D(("file %s created", _PATH_LASTLOG));
- } else {
- pam_syslog(pamh, LOG_ERR, "unable to open %s: %m", _PATH_LASTLOG);
- D(("unable to open %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
- }
- }
-
- if (lseek(last_fd, sizeof(struct lastlog) * (off_t) uid, SEEK_SET) < 0) {
- pam_syslog(pamh, LOG_ERR, "failed to lseek %s: %m", _PATH_LASTLOG);
- D(("unable to lseek %s file", _PATH_LASTLOG));
- return PAM_SERVICE_ERR;
+ return PAM_SERVICE_ERR;
}
retval = last_login_read(pamh, announce, last_fd, uid, lltime);
@@ -502,7 +561,91 @@ cleanup:
return retval;
}
-/* --- authentication management functions (only) --- */
+/* --- authentication (locking out inactive users) functions --- */
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ int retval, ctrl;
+ const char *user = NULL;
+ const struct passwd *pwd;
+ uid_t uid;
+ time_t lltime = 0;
+ time_t inactive_days = 0;
+ int last_fd;
+
+ /*
+ * Lock out the user if he did not login recently enough.
+ */
+
+ ctrl = _pam_auth_parse(pamh, flags, argc, argv, &inactive_days);
+
+ /* which user? */
+
+ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
+ || *user == '\0') {
+ pam_syslog(pamh, LOG_ERR, "cannot determine the user's name");
+ return PAM_USER_UNKNOWN;
+ }
+
+ /* what uid? */
+
+ pwd = pam_modutil_getpwnam (pamh, user);
+ if (pwd == NULL) {
+ pam_syslog(pamh, LOG_ERR, "user unknown");
+ return PAM_USER_UNKNOWN;
+ }
+ uid = pwd->pw_uid;
+ pwd = NULL; /* tidy up */
+
+ if (uid == 0)
+ return PAM_SUCCESS;
+
+ /* obtain the last login date and all the relevant info */
+ last_fd = last_login_open(pamh, ctrl, uid);
+ if (last_fd < 0) {
+ return PAM_IGNORE;
+ }
+
+ retval = last_login_read(pamh, ctrl|LASTLOG_QUIET, last_fd, uid, &lltime);
+ close(last_fd);
+
+ if (retval != PAM_SUCCESS) {
+ D(("error while reading lastlog file"));
+ return PAM_IGNORE;
+ }
+
+ if (lltime == 0) { /* user never logged in before */
+ if (ctrl & LASTLOG_DEBUG)
+ pam_syslog(pamh, LOG_DEBUG, "user never logged in - pass");
+ return PAM_SUCCESS;
+ }
+
+ lltime = (time(NULL) - lltime) / (24*60*60);
+
+ if (lltime > inactive_days) {
+ pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
+ return PAM_AUTH_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
+ int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+ int argc, const char **argv)
+{
+ return pam_sm_authenticate(pamh, flags, argc, argv);
+}
+
+/* --- session management functions --- */
PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags,
@@ -519,7 +662,7 @@ pam_sm_open_session(pam_handle_t *pamh,
* last login info and then updates the lastlog for that user.
*/
- ctrl = _pam_parse(pamh, flags, argc, argv);
+ ctrl = _pam_session_parse(pamh, flags, argc, argv);
/* which user? */
@@ -560,7 +703,7 @@ pam_sm_close_session (pam_handle_t *pamh
{
const char *terminal_line;
- if (!(_pam_parse(pamh, flags, argc, argv) & LASTLOG_WTMP))
+ if (!(_pam_session_parse(pamh, flags, argc, argv) & LASTLOG_WTMP))
return PAM_SUCCESS;
terminal_line = get_tty(pamh);
@@ -577,9 +720,9 @@ pam_sm_close_session (pam_handle_t *pamh
struct pam_module _pam_lastlog_modstruct = {
"pam_lastlog",
- NULL,
- NULL,
- NULL,
+ pam_sm_authenticate,
+ pam_sm_setcred,
+ pam_sm_acct_mgmt,
pam_sm_open_session,
pam_sm_close_session,
NULL,