diff --git a/Linux-PAM-1.3.1.tar.xz b/Linux-PAM-1.3.1.tar.xz deleted file mode 100644 index 424ac57beb925a2cd9f02e79911d6d92087b4cae..0000000000000000000000000000000000000000 Binary files a/Linux-PAM-1.3.1.tar.xz and /dev/null differ diff --git a/Linux-PAM-1.3.1.tar.xz.asc b/Linux-PAM-1.3.1.tar.xz.asc deleted file mode 100644 index 7057c1810b583b07d156dd62769bf0d1a705bc6d..0000000000000000000000000000000000000000 --- a/Linux-PAM-1.3.1.tar.xz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iD8DBQBa/r62bRp/BS5ZJLsRArnKAJ9pGaJHpsEsbOVa5dBQLHYC4DhPuACeJNrg -+DaNc8W13E4Z2ZEUSsgUGe4= -=aSTW ------END PGP SIGNATURE----- diff --git a/Linux-PAM-1.4.0.tar.xz b/Linux-PAM-1.4.0.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..507857d78d5a9e85a21ebeb4661657e104cfb5a6 Binary files /dev/null and b/Linux-PAM-1.4.0.tar.xz differ diff --git a/Linux-PAM-1.4.0.tar.xz.asc b/Linux-PAM-1.4.0.tar.xz.asc new file mode 100644 index 0000000000000000000000000000000000000000..9d8c7740036861a5960263a8a7f07e0b9296bd54 --- /dev/null +++ b/Linux-PAM-1.4.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABCAAGBQJe3hBmAAoJEKgEH6g54W42HDEQAJ9Vs1mxSrz8o/lLyPUYowsx +US0jMtfC2gyjtpmXiH40CEZB3xeRZ9qJ5eSB2q2MiMRVLwI/rxQUoZ0XeYW9yls0 +g8cAxyCEdaI5GnMjLuG6rBCtlmqbrS/4fzq+AfPAm+7ITajVzcYdqHqQM6EJ6OK9 +uu4Iyt8lDUyh3Vinx9PJy0KfJQAlb5nTuKJS4Kcv5c1wTt6LZiGOM+aERl2JmWJd +O+QXCQHHWGUlAQSQcP3+p36mdy5VsUbXbT7sNaTTzjvQwxSjJ345nybgk2El571O +ZvSCdBbswDqGhyyYa8e1rqWDABE5i2Iw81OKNC95e1H4PU/FI32bdQip3cdMbD8t +kQ+mdMU7LlUUHaKnk38/k0m3GPzo5mjjRApIkZqTZV9lD2FfiQw3FuENNmumMRSR +iQrMSnr9/o3d6K+BLzbKtNiVduyEMYmfs72Z+D16mfwahlaDCHYOwnW1ieIVFv99 +3tCllbRmYYTXxHVYFkGM76r7xUKrRKYOC29j0fP2nfQChePamUUZ2nVBz3p+18p7 +wNsTS+xx0FCcLDHeU5eAy2iUKuNvvUUFh+8rrIGE5k8GldPlbKc2GrEbukZic72G +uUJnLXiPOlIMgx+C/BiTWwla1v2FTdB71E/3m6qZ02hRQ19G0GvYhXKXwJ9oLalE +JrEpuMM0et5vFXfyVnQz +=Qi9B +-----END PGP SIGNATURE----- diff --git a/bugfix-pam-1.1.8-faillock-failmessages.patch b/bugfix-pam-1.1.8-faillock-failmessages.patch index 763ba986fea1f35c5c4dc17d7f155f5e884b1b6e..32c94501474a0f484e73ae8fadf2d549467f2026 100644 --- a/bugfix-pam-1.1.8-faillock-failmessages.patch +++ b/bugfix-pam-1.1.8-faillock-failmessages.patch @@ -1,17 +1,27 @@ +From 7caf16119e3ed87818eb36a09d2fd84c4e027575 Mon Sep 17 00:00:00 2001 +From: openEuler Buildteam +Date: Mon, 27 Jul 2020 09:11:29 +0800 +Subject: [PATCH] bugfix pam 1.1.8 faillock failmessages + +--- + modules/pam_faillock/pam_faillock.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c -index 1742542..8153638 100644 +index f592d0a..5b5cc2c 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c -@@ -445,11 +445,10 @@ faillock_message(pam_handle_t *pamh, struct options *opts) - } - +@@ -645,9 +645,7 @@ faillock_message(pam_handle_t *pamh, struct options *opts) + pam_info(pamh, _("The account is locked due to %u failed logins."), + (unsigned int)opts->failures); if (left > 0) { - left = (left + 59)/60; /* minutes */ - - pam_info(pamh, _("Account temporarily locked due to %d failed logins"), - opts->failures); +- - pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); + pam_info(pamh, _("(%d seconds left to unlock)"), (int)left); } - else { - pam_info(pamh, _("Account locked due to %d failed logins"), + } + } +-- +2.23.0 + diff --git a/bugfix-pam-1.1.8-faillock-systemtime.patch b/bugfix-pam-1.1.8-faillock-systemtime.patch index d072f475c4fa98795f320c23f6e1481eb2ed46c0..dd2d417eaa367a16a80ad4f02db7a79be67d17ce 100644 --- a/bugfix-pam-1.1.8-faillock-systemtime.patch +++ b/bugfix-pam-1.1.8-faillock-systemtime.patch @@ -1,33 +1,42 @@ +From c58a79970f5902b5b61b8ca7e82564a7db212be0 Mon Sep 17 00:00:00 2001 +From: openEuler Buildteam +Date: Mon, 27 Jul 2020 09:34:43 +0800 +Subject: [PATCH] bugfix pam 1.1.8 faillock systemtime + +--- + modules/pam_faillock/pam_faillock.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c -index 8153638..d71e781 100644 +index 5b5cc2c..600e3f6 100644 --- a/modules/pam_faillock/pam_faillock.c +++ b/modules/pam_faillock/pam_faillock.c -@@ -84,6 +84,7 @@ struct options { - uid_t uid; +@@ -91,6 +91,7 @@ struct options { int is_admin; uint64_t now; + int fatal_error; + int time_jumped; }; - static void -@@ -98,6 +99,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv, + static int read_config_file( +@@ -121,6 +122,7 @@ args_parse(pam_handle_t *pamh, int argc, const char **argv, opts->fail_interval = 900; opts->unlock_time = 600; opts->root_unlock_time = MAX_TIME_INTERVAL+1; + opts->time_jumped = 0; for (i = 0; i < argc; ++i) { - -@@ -266,8 +268,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies + const char *str; +@@ -464,8 +466,6 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies latest_time = tallies->records[i].time; } - opts->latest_time = latest_time; - failures = 0; - for(i = 0; i < tallies->count; i++) { + for (i = 0; i < tallies->count; i++) { if ((tallies->records[i].status & TALLY_STATUS_VALID) && -@@ -278,6 +278,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies +@@ -476,6 +476,19 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies opts->failures = failures; @@ -47,14 +56,17 @@ index 8153638..d71e781 100644 if (opts->deny && failures >= opts->deny) { if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { -@@ -508,6 +521,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, - rv = PAM_IGNORE; /* this return value should be ignored */ - write_tally(pamh, &opts, &tallies, &fd); - } -+ if (opts.time_jumped) { -+ if (update_tally(fd, &tallies) != 0) -+ rv = PAM_IGNORE; -+ } - break; +@@ -712,6 +725,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, + rv = PAM_IGNORE; /* this return value should be ignored */ + write_tally(pamh, &opts, &tallies, &fd); + } ++ if (opts.time_jumped) { ++ if (update_tally(fd, &tallies) != 0) ++ rv = PAM_IGNORE; ++ } + break; + } } - +-- +2.23.0 + diff --git a/fix-login-message.patch b/fix-login-message.patch index 17c65ed4f7d0c30f7126572c459de32e2efe5e8c..94f3fbd0b395fcd8f2aca511e035dc02ea7e1826 100644 --- a/fix-login-message.patch +++ b/fix-login-message.patch @@ -1,17 +1,17 @@ From 1a79e750977c2c809d5fc8f44c1c90f58a261926 Mon Sep 17 00:00:00 2001 From: openEuler Buildteam Date: Wed, 17 Jun 2020 15:14:25 +0800 -Subject: [PATCH] fix login translation inaccurate +Subject: [PATCH] fix login message --- po/zh_CN.po | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/po/zh_CN.po b/po/zh_CN.po -index 33c257d..398d8b6 100644 +index b7d2c83..4227e4f 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po -@@ -320,13 +320,13 @@ msgstr "最后一次失败的登录:%s%s%s" +@@ -355,13 +355,13 @@ msgstr "最后一次失败的登录:%s%s%s" msgid "There was %d failed login attempt since the last successful login." msgid_plural "" "There were %d failed login attempts since the last successful login." @@ -19,14 +19,14 @@ index 33c257d..398d8b6 100644 +msgstr[0] "最后一次成功登录后有 %d 次失败的登录尝试。" #. TRANSLATORS: only used if dngettext is not supported - #: modules/pam_lastlog/pam_lastlog.c:548 + #: modules/pam_lastlog/pam_lastlog.c:631 #, c-format msgid "There were %d failed login attempts since the last successful login." -msgstr "最有一次成功登录后有 %d 次失败的登录尝试。" +msgstr "最后一次成功登录后有 %d 次失败的登录尝试。" - #: modules/pam_limits/pam_limits.c:1091 - #, c-format + #: modules/pam_limits/pam_limits.c:1088 + #, fuzzy, c-format -- -1.8.3.1 +2.23.0 diff --git a/pam-1.2.1-faillock-admin-group.patch b/pam-1.2.1-faillock-admin-group.patch deleted file mode 100644 index 8bd13841ef141bec841d1fce34c03f93cb6466ea..0000000000000000000000000000000000000000 --- a/pam-1.2.1-faillock-admin-group.patch +++ /dev/null @@ -1,133 +0,0 @@ -diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-04 16:37:38.696260359 +0200 -+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.c 2017-08-21 16:40:01.624706864 +0200 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2010 Tomas Mraz -+ * Copyright (c) 2010, 2017 Tomas Mraz - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -78,9 +78,11 @@ struct options { - unsigned int root_unlock_time; - const char *dir; - const char *user; -+ const char *admin_group; - int failures; - uint64_t latest_time; - uid_t uid; -+ int is_admin; - uint64_t now; - }; - -@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc, - opts->root_unlock_time = temp; - } - } -+ else if (strncmp(argv[i], "admin_group=", 12) == 0) { -+ opts->admin_group = argv[i] + 12; -+ } - else if (strcmp(argv[i], "preauth") == 0) { - opts->action = FAILLOCK_ACTION_PREAUTH; - } -@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa - } - opts->user = user; - opts->uid = pwd->pw_uid; -+ -+ if (pwd->pw_uid == 0) { -+ opts->is_admin = 1; -+ return PAM_SUCCESS; -+ } -+ -+ if (opts->admin_group && *opts->admin_group) { -+ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh, -+ pwd->pw_uid, opts->admin_group); -+ } -+ - return PAM_SUCCESS; - } - -@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o - return PAM_SYSTEM_ERR; - } - -- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { - return PAM_SUCCESS; - } - -@@ -262,13 +278,9 @@ check_tally(pam_handle_t *pamh, struct o - - opts->failures = failures; - -- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -- return PAM_SUCCESS; -- } -- - if (opts->deny && failures >= opts->deny) { -- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || -- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { -+ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || -+ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { - #ifdef HAVE_LIBAUDIT - if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ - char buf[64]; -@@ -401,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o - audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, - NULL, NULL, NULL, 1); - -- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { - audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, - NULL, NULL, NULL, 1); - } -@@ -425,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str - int64_t left; - - if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { -- if (opts->uid) { -- left = opts->latest_time + opts->unlock_time - opts->now; -+ if (opts->is_admin) { -+ left = opts->latest_time + opts->root_unlock_time - opts->now; - } - else { -- left = opts->latest_time + opts->root_unlock_time - opts->now; -+ left = opts->latest_time + opts->unlock_time - opts->now; - } - - if (left > 0) { -diff -up Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-05-06 15:24:10.328281818 +0200 -+++ Linux-PAM-1.3.0/modules/pam_faillock/pam_faillock.8.xml 2017-08-21 16:16:09.448033843 +0200 -@@ -40,6 +40,9 @@ - root_unlock_time=n - - -+ admin_group=name -+ -+ - audit - - -@@ -243,6 +246,20 @@ - - - -+ -+ -+ -+ -+ -+ -+ If a group name is specified with this option, members -+ of the group will be handled by this module the same as -+ the root account (the options -+ and will apply to them. -+ By default the option is not set. -+ -+ -+ - - - diff --git a/pam-1.2.1-faillock.patch b/pam-1.2.1-faillock.patch deleted file mode 100644 index c173702457bf37ed8c3e5f59c217340b1df6a261..0000000000000000000000000000000000000000 --- a/pam-1.2.1-faillock.patch +++ /dev/null @@ -1,1767 +0,0 @@ -From: openEuler Buildteam -Date: Sat, 14 Sep 2019 18:35:39 +0800 -Subject: [PATCH] add faillock module - ---- - configure.ac | 2 +- - modules/Makefile.am | 2 +- - modules/pam_faillock/Makefile.am | 44 ++ - modules/pam_faillock/README.xml | 46 ++ - modules/pam_faillock/faillock.8.xml | 123 +++++ - modules/pam_faillock/faillock.c | 158 +++++++ - modules/pam_faillock/faillock.h | 73 +++ - modules/pam_faillock/main.c | 232 ++++++++++ - modules/pam_faillock/pam_faillock.8.xml | 408 +++++++++++++++++ - modules/pam_faillock/pam_faillock.c | 571 ++++++++++++++++++++++++ - modules/pam_faillock/tst-pam_faillock | 2 + - 11 files changed, 1659 insertions(+), 2 deletions(-) - create mode 100644 modules/pam_faillock/Makefile.am - create mode 100644 modules/pam_faillock/README.xml - create mode 100644 modules/pam_faillock/faillock.8.xml - create mode 100644 modules/pam_faillock/faillock.c - create mode 100644 modules/pam_faillock/faillock.h - create mode 100644 modules/pam_faillock/main.c - create mode 100644 modules/pam_faillock/pam_faillock.8.xml - create mode 100644 modules/pam_faillock/pam_faillock.c - create mode 100755 modules/pam_faillock/tst-pam_faillock - -diff --git a/configure.ac b/configure.ac -index 3012ceb..d537907 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -614,7 +614,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile - modules/pam_access/Makefile modules/pam_cracklib/Makefile \ - modules/pam_debug/Makefile modules/pam_deny/Makefile \ - modules/pam_echo/Makefile modules/pam_env/Makefile \ -- modules/pam_faildelay/Makefile \ -+ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \ - modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \ - modules/pam_ftp/Makefile modules/pam_group/Makefile \ - modules/pam_issue/Makefile modules/pam_keyinit/Makefile \ -diff --git a/modules/Makefile.am b/modules/Makefile.am -index 4847759..adcc641 100644 ---- a/modules/Makefile.am -+++ b/modules/Makefile.am -@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \ - pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \ - pam_selinux pam_sepermit pam_shells pam_stress \ - pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \ -- pam_tty_audit pam_umask \ -+ pam_tty_audit pam_umask pam_faillock \ - pam_unix pam_userdb pam_warn pam_wheel pam_xauth - - CLEANFILES = *~ -diff --git a/modules/pam_faillock/Makefile.am b/modules/pam_faillock/Makefile.am -new file mode 100644 -index 0000000..dcca280 ---- /dev/null -+++ b/modules/pam_faillock/Makefile.am -@@ -0,0 +1,44 @@ -+# -+# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk -+# Copyright (c) 2008 Red Hat, Inc. -+# Copyright (c) 2010 Tomas Mraz -+# -+ -+CLEANFILES = *~ -+MAINTAINERCLEANFILES = $(MANS) README -+ -+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock -+ -+man_MANS = pam_faillock.8 faillock.8 -+XMLS = README.xml pam_faillock.8.xml faillock.8.xml -+ -+TESTS = tst-pam_faillock -+ -+securelibdir = $(SECUREDIR) -+secureconfdir = $(SCONFIGDIR) -+ -+noinst_HEADERS = faillock.h -+ -+faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@ -+pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include -+ -+pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module -+pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+if HAVE_VERSIONING -+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map -+endif -+ -+faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@ -+faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT) -+ -+securelib_LTLIBRARIES = pam_faillock.la -+sbin_PROGRAMS = faillock -+ -+pam_faillock_la_SOURCES = pam_faillock.c faillock.c -+faillock_SOURCES = main.c faillock.c -+ -+if ENABLE_REGENERATE_MAN -+noinst_DATA = README -+README: pam_faillock.8.xml -+-include $(top_srcdir)/Make.xml.rules -+endif -diff --git a/modules/pam_faillock/README.xml b/modules/pam_faillock/README.xml -new file mode 100644 -index 0000000..f0654db ---- /dev/null -+++ b/modules/pam_faillock/README.xml -@@ -0,0 +1,46 @@ -+ -+ -+--> -+]> -+ -+
-+ -+ -+ -+ -+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" -+ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/> -+ -+ -+ -+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-+ -+
-diff --git a/modules/pam_faillock/faillock.8.xml b/modules/pam_faillock/faillock.8.xml -new file mode 100644 -index 0000000..10942d5 ---- /dev/null -+++ b/modules/pam_faillock/faillock.8.xml -@@ -0,0 +1,123 @@ -+ -+ -+ -+ -+ -+ -+ faillock -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ faillock -+ Tool for displaying and modifying the authentication failure record files -+ -+ -+ -+ -+ faillock -+ -+ --dir /path/to/tally-directory -+ -+ -+ --user username -+ -+ -+ --reset -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ The pam_faillock.so module maintains a list of -+ failed authentication attempts per user during a specified interval -+ and locks the account in case there were more than -+ deny consecutive failed authentications. -+ It stores the failure records into per-user files in the tally -+ directory. -+ -+ -+ The faillock command is an application which -+ can be used to examine and modify the contents of the -+ the tally files. It can display the recent failed authentication -+ attempts of the username or clear the tally -+ files of all or individual usernames. -+ -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ -+ -+ -+ -+ The directory where the user files with the failure records are kept. The -+ default is /var/run/faillock. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The user whose failure records should be displayed or cleared. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Instead of displaying the user's failure records, clear them. -+ -+ -+ -+ -+ -+ -+ -+ FILES -+ -+ -+ /var/run/faillock/* -+ -+ the files logging the authentication failures for users -+ -+ -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ pam_faillock8 -+ , -+ -+ pam8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ faillock was written by Tomas Mraz. -+ -+ -+ -+ -diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c -new file mode 100644 -index 0000000..94de18f ---- /dev/null -+++ b/modules/pam_faillock/faillock.c -@@ -0,0 +1,158 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "faillock.h" -+ -+int -+open_tally (const char *dir, const char *user, uid_t uid, int create) -+{ -+ char *path; -+ int flags = O_RDWR; -+ int fd; -+ -+ if (strstr(user, "../") != NULL) -+ /* just a defensive programming as the user must be a -+ * valid user on the system anyway -+ */ -+ return -1; -+ path = malloc(strlen(dir) + strlen(user) + 2); -+ if (path == NULL) -+ return -1; -+ -+ strcpy(path, dir); -+ if (*dir && dir[strlen(dir) - 1] != '/') { -+ strcat(path, "/"); -+ } -+ strcat(path, user); -+ -+ if (create) { -+ flags |= O_CREAT; -+ } -+ -+ fd = open(path, flags, 0600); -+ -+ free(path); -+ -+ if (fd != -1) { -+ struct stat st; -+ -+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR); -+ if (fstat(fd, &st) == 0) { -+ if (st.st_uid != uid) { -+ fchown(fd, uid, -1); -+ } -+ } -+ } -+ -+ return fd; -+} -+ -+#define CHUNK_SIZE (64 * sizeof(struct tally)) -+#define MAX_RECORDS 1024 -+ -+int -+read_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = NULL, *newdata; -+ unsigned int count = 0; -+ ssize_t chunk = 0; -+ -+ do { -+ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); -+ if (newdata == NULL) { -+ free(data); -+ return -1; -+ } -+ -+ data = newdata; -+ -+ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); -+ if (chunk < 0) { -+ free(data); -+ return -1; -+ } -+ -+ count += chunk/sizeof(struct tally); -+ -+ if (count >= MAX_RECORDS) -+ break; -+ } -+ while (chunk == CHUNK_SIZE); -+ -+ tallies->records = data; -+ tallies->count = count; -+ -+ return 0; -+} -+ -+int -+update_tally(int fd, struct tally_data *tallies) -+{ -+ void *data = tallies->records; -+ unsigned int count = tallies->count; -+ ssize_t chunk; -+ -+ if (tallies->count > MAX_RECORDS) { -+ data = tallies->records + (count - MAX_RECORDS); -+ count = MAX_RECORDS; -+ } -+ -+ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { -+ return -1; -+ } -+ -+ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); -+ -+ if (chunk != (ssize_t)(count * sizeof(struct tally))) { -+ return -1; -+ } -+ -+ if (ftruncate(fd, count * sizeof(struct tally)) == -1) -+ return -1; -+ -+ return 0; -+} -diff --git a/modules/pam_faillock/faillock.h b/modules/pam_faillock/faillock.h -new file mode 100644 -index 0000000..3b732a8 ---- /dev/null -+++ b/modules/pam_faillock/faillock.h -@@ -0,0 +1,73 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * faillock.h - authentication failure data file record structure -+ * -+ * Each record in the file represents an instance of login failure of -+ * the user at the recorded time -+ */ -+ -+ -+#ifndef _FAILLOCK_H -+#define _FAILLOCK_H -+ -+#include -+#include -+ -+#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */ -+#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */ -+#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */ -+ -+struct tally { -+ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */ -+ uint16_t reserved; /* reserved for future use */ -+ uint16_t status; /* record status */ -+ uint64_t time; /* time of the login failure */ -+}; -+/* 64 bytes per entry */ -+ -+struct tally_data { -+ struct tally *records; /* array of tallies */ -+ unsigned int count; /* number of records */ -+}; -+ -+#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock" -+ -+int open_tally(const char *dir, const char *user, uid_t uid, int create); -+int read_tally(int fd, struct tally_data *tallies); -+int update_tally(int fd, struct tally_data *tallies); -+#endif -+ -diff --git a/modules/pam_faillock/main.c b/modules/pam_faillock/main.c -new file mode 100644 -index 0000000..e83d7d5 ---- /dev/null -+++ b/modules/pam_faillock/main.c -@@ -0,0 +1,232 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#ifdef HAVE_LIBAUDIT -+#include -+#endif -+ -+#include "faillock.h" -+ -+struct options { -+ unsigned int reset; -+ const char *dir; -+ const char *user; -+ const char *progname; -+}; -+ -+static int -+args_parse(int argc, char **argv, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->progname = argv[0]; -+ -+ for (i = 1; i < argc; ++i) { -+ -+ if (strcmp(argv[i], "--dir") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No directory supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->dir = argv[i]; -+ } -+ else if (strcmp(argv[i], "--user") == 0) { -+ ++i; -+ if (i >= argc || strlen(argv[i]) == 0) { -+ fprintf(stderr, "%s: No user name supplied.\n", argv[0]); -+ return -1; -+ } -+ opts->user = argv[i]; -+ } -+ else if (strcmp(argv[i], "--reset") == 0) { -+ opts->reset = 1; -+ } -+ else { -+ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]); -+ return -1; -+ } -+ } -+ return 0; -+} -+ -+static void -+usage(const char *progname) -+{ -+ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"), -+ progname); -+} -+ -+static int -+do_user(struct options *opts, const char *user) -+{ -+ int fd; -+ int rv; -+ struct tally_data tallies; -+ struct passwd *pwd; -+ -+ pwd = getpwnam(user); -+ -+ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0); -+ -+ if (fd == -1) { -+ if (errno == ENOENT) { -+ return 0; -+ } -+ else { -+ fprintf(stderr, "%s: Error opening the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ return 3; -+ } -+ } -+ if (opts->reset) { -+#ifdef HAVE_LIBAUDIT -+ int audit_fd; -+#endif -+ -+ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ fprintf(stderr, "%s: Error clearing the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+#ifdef HAVE_LIBAUDIT -+ } -+ if ((audit_fd=audit_open()) >= 0) { -+ -+ if (pwd != NULL) { -+ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL, -+ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0); -+ } -+ close(audit_fd); -+ } -+ if (rv == -1) { -+#endif -+ close(fd); -+ return 4; -+ } -+ } -+ else { -+ unsigned int i; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ if ((rv=read_tally(fd, &tallies)) == -1) { -+ fprintf(stderr, "%s: Error reading the tally file for %s:", -+ opts->progname, user); -+ perror(NULL); -+ close(fd); -+ return 5; -+ } -+ -+ printf("%s:\n", user); -+ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid"); -+ -+ for (i = 0; i < tallies.count; i++) { -+ struct tm *tm; -+ char timebuf[80]; -+ uint16_t status = tallies.records[i].status; -+ time_t when = tallies.records[i].time; -+ -+ tm = localtime(&when); -+ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm); -+ printf("%-19s %-5s %-52.52s %s\n", timebuf, -+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), -+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); -+ } -+ free(tallies.records); -+ } -+ close(fd); -+ return 0; -+} -+ -+static int -+do_allusers(struct options *opts) -+{ -+ struct dirent **userlist; -+ int rv, i; -+ -+ rv = scandir(opts->dir, &userlist, NULL, alphasort); -+ if (rv < 0) { -+ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname); -+ perror(NULL); -+ return 2; -+ } -+ -+ for (i = 0; i < rv; i++) { -+ if (userlist[i]->d_name[0] == '.') { -+ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') || -+ userlist[i]->d_name[1] == '\0') -+ continue; -+ } -+ do_user(opts, userlist[i]->d_name); -+ free(userlist[i]); -+ } -+ free(userlist); -+ -+ return 0; -+} -+ -+ -+/*-----------------------------------------------------------------------*/ -+int -+main (int argc, char *argv[]) -+{ -+ struct options opts; -+ -+ if (args_parse(argc, argv, &opts)) { -+ usage(argv[0]); -+ return 1; -+ } -+ -+ if (opts.user == NULL) { -+ return do_allusers(&opts); -+ } -+ -+ return do_user(&opts, opts.user); -+} -+ -diff --git a/modules/pam_faillock/pam_faillock.8.xml b/modules/pam_faillock/pam_faillock.8.xml -new file mode 100644 -index 0000000..3ba6dd6 ---- /dev/null -+++ b/modules/pam_faillock/pam_faillock.8.xml -@@ -0,0 +1,408 @@ -+ -+ -+ -+ -+ -+ -+ pam_faillock -+ 8 -+ Linux-PAM Manual -+ -+ -+ -+ pam_faillock -+ Module counting authentication failures during a specified interval -+ -+ -+ -+ -+ auth ... pam_faillock.so -+ -+ preauth|authfail|authsucc -+ -+ -+ dir=/path/to/tally-directory -+ -+ -+ even_deny_root -+ -+ -+ deny=n -+ -+ -+ fail_interval=n -+ -+ -+ unlock_time=n -+ -+ -+ root_unlock_time=n -+ -+ -+ audit -+ -+ -+ silent -+ -+ -+ no_log_info -+ -+ -+ -+ account ... pam_faillock.so -+ -+ dir=/path/to/tally-directory -+ -+ -+ no_log_info -+ -+ -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ This module maintains a list of failed authentication attempts per -+ user during a specified interval and locks the account in case -+ there were more than deny consecutive -+ failed authentications. -+ -+ -+ Normally, failed attempts to authenticate root will -+ not cause the root account to become -+ blocked, to prevent denial-of-service: if your users aren't given -+ shell accounts and root may only login via su or -+ at the machine console (not telnet/rsh, etc), this is safe. -+ -+ -+ -+ -+ -+ OPTIONS -+ -+ -+ -+ -+ -+ -+ -+ This argument must be set accordingly to the position of this module -+ instance in the PAM stack. -+ -+ -+ The preauth argument must be used when the module -+ is called before the modules which ask for the user credentials such -+ as the password. The module just examines whether the user should -+ be blocked from accessing the service in case there were anomalous -+ number of failed consecutive authentication attempts recently. This -+ call is optional if authsucc is used. -+ -+ -+ The authfail argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ failed. Unless the user is already blocked due to previous authentication -+ failures, the module will record the failure into the appropriate user -+ tally file. -+ -+ -+ The authsucc argument must be used when the module -+ is called after the modules which determine the authentication outcome, -+ succeded. Unless the user is already blocked due to previous authentication -+ failures, the module will then clear the record of the failures in the -+ respective user tally file. Otherwise it will return authentication error. -+ If this call is not done, the pam_faillock will not distinguish between -+ consecutive and non-consecutive failed authentication attempts. The -+ preauth call must be used in such case. Due to -+ complications in the way the PAM stack can be configured it is also -+ possible to call pam_faillock as an account module. -+ In such configuration the module must be also called in the -+ preauth stage. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The directory where the user files with the failure records are kept. The -+ default is /var/run/faillock. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Will log the user name into the system log if the user is not found. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't print informative messages. This option is implicite -+ in the authfail and authsucc -+ functions. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Don't log informative messages via syslog3. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Deny access if the number of consecutive authentication failures -+ for this user during the recent interval exceeds -+ n. The default is 3. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The length of the interval during which the consecutive -+ authentication failures must happen for the user account -+ lock out is n seconds. -+ The default is 900 (15 minutes). -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ The access will be reenabled after -+ n seconds after the lock out. -+ The value 0 has the same meaning as value -+ never - the access -+ will not be reenabled without resetting the faillock -+ entries by the faillock8 command. -+ The default is 600 (10 minutes). -+ -+ -+ Note that the default directory that pam_faillock -+ uses is usually cleared on system boot so the access will be also reenabled -+ after system reboot. If that is undesirable a different tally directory -+ must be set with the option. -+ -+ -+ Also note that it is usually undesirable to permanently lock -+ out the users as they can become easily a target of denial of service -+ attack unless the usernames are random and kept secret to potential -+ attackers. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ Root account can become locked as well as regular accounts. -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ This option implies option. -+ Allow access after n seconds -+ to root account after the account is locked. In case the -+ option is not specified the value is the same as of the -+ option. -+ -+ -+ -+ -+ -+ -+ -+ MODULE TYPES PROVIDED -+ -+ The and module types are -+ provided. -+ -+ -+ -+ -+ RETURN VALUES -+ -+ -+ PAM_AUTH_ERR -+ -+ -+ A invalid option was given, the module was not able -+ to retrieve the user name, no valid counter file -+ was found, or too many failed logins. -+ -+ -+ -+ -+ PAM_SUCCESS -+ -+ -+ Everything was successful. -+ -+ -+ -+ -+ PAM_IGNORE -+ -+ -+ User not present in passwd database. -+ -+ -+ -+ -+ -+ -+ -+ NOTES -+ -+ pam_faillock setup in the PAM stack is different -+ from the pam_tally2 module setup. -+ -+ -+ The individual files with the failure records are created as owned by -+ the user. This allows pam_faillock.so module -+ to work correctly when it is called from a screensaver. -+ -+ -+ Note that using the module in without the -+ option or with requisite -+ control field leaks an information about existence or -+ non-existence of an user account in the system because -+ the failures are not recorded for the unknown users. The message -+ about the user account being locked is never displayed for nonexisting -+ user accounts allowing the adversary to infer that a particular account -+ is not existing on a system. -+ -+ -+ -+ -+ EXAMPLES -+ -+ Here are two possible configuration examples for /etc/pam.d/login. -+ They make pam_faillock to lock the account after 4 consecutive -+ failed logins during the default interval of 15 minutes. Root account will be locked -+ as well. The accounts will be automatically unlocked after 20 minutes. -+ -+ -+ In the first example the module is called only in the auth -+ phase and the module does not print any information about the account blocking -+ by pam_faillock. The preauth call can -+ be added to tell the user that his login is blocked by the module and also to abort -+ the authentication without even asking for password in such case. -+ -+ -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 -+# to display the message about account being locked -+auth [success=1 default=bad] pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ -+ -+ In the second example the module is called both in the auth -+ and account phases and the module gives the authenticating -+ user message when the account is locked -+ -+ -+auth required pam_securetty.so -+auth required pam_env.so -+auth required pam_nologin.so -+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 -+# optionally use requisite above if you do not want to prompt for the password -+# on locked accounts, possibly with removing the silent option as well -+auth sufficient pam_unix.so -+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 -+auth required pam_deny.so -+account required pam_faillock.so -+# if you drop the above call to pam_faillock.so the lock will be done also -+# on non-consecutive authentication failures -+account required pam_unix.so -+password required pam_unix.so shadow -+session required pam_selinux.so close -+session required pam_loginuid.so -+session required pam_unix.so -+session required pam_selinux.so open -+ -+ -+ -+ -+ FILES -+ -+ -+ /var/run/faillock/* -+ -+ the files logging the authentication failures for users -+ -+ -+ -+ -+ -+ -+ SEE ALSO -+ -+ -+ faillock8 -+ , -+ -+ pam.conf5 -+ , -+ -+ pam.d5 -+ , -+ -+ pam8 -+ -+ -+ -+ -+ -+ AUTHOR -+ -+ pam_faillock was written by Tomas Mraz. -+ -+ -+ -+ -diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c -new file mode 100644 -index 0000000..5fe9a04 ---- /dev/null -+++ b/modules/pam_faillock/pam_faillock.c -@@ -0,0 +1,571 @@ -+/* -+ * Copyright (c) 2010 Tomas Mraz -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU Public License, in which case the provisions of the GPL are -+ * required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+#include "config.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef HAVE_LIBAUDIT -+#include -+#endif -+ -+#include -+#include -+#include -+ -+#include "faillock.h" -+ -+#define PAM_SM_AUTH -+#define PAM_SM_ACCOUNT -+ -+#define FAILLOCK_ACTION_PREAUTH 0 -+#define FAILLOCK_ACTION_AUTHSUCC 1 -+#define FAILLOCK_ACTION_AUTHFAIL 2 -+ -+#define FAILLOCK_FLAG_DENY_ROOT 0x1 -+#define FAILLOCK_FLAG_AUDIT 0x2 -+#define FAILLOCK_FLAG_SILENT 0x4 -+#define FAILLOCK_FLAG_NO_LOG_INFO 0x8 -+#define FAILLOCK_FLAG_UNLOCKED 0x10 -+ -+#define MAX_TIME_INTERVAL 604800 /* 7 days */ -+ -+struct options { -+ unsigned int action; -+ unsigned int flags; -+ unsigned short deny; -+ unsigned int fail_interval; -+ unsigned int unlock_time; -+ unsigned int root_unlock_time; -+ const char *dir; -+ const char *user; -+ int failures; -+ uint64_t latest_time; -+ uid_t uid; -+ uint64_t now; -+}; -+ -+static void -+args_parse(pam_handle_t *pamh, int argc, const char **argv, -+ int flags, struct options *opts) -+{ -+ int i; -+ memset(opts, 0, sizeof(*opts)); -+ -+ opts->dir = FAILLOCK_DEFAULT_TALLYDIR; -+ opts->deny = 3; -+ opts->fail_interval = 900; -+ opts->unlock_time = 600; -+ opts->root_unlock_time = MAX_TIME_INTERVAL+1; -+ -+ for (i = 0; i < argc; ++i) { -+ -+ if (strncmp(argv[i], "dir=", 4) == 0) { -+ if (argv[i][4] != '/') { -+ pam_syslog(pamh, LOG_ERR, -+ "Tally directory is not absolute path (%s); keeping default", argv[i]); -+ } else { -+ opts->dir = argv[i]+4; -+ } -+ } -+ else if (strncmp(argv[i], "deny=", 5) == 0) { -+ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for deny argument"); -+ } -+ } -+ else if (strncmp(argv[i], "fail_interval=", 14) == 0) { -+ unsigned int temp; -+ if (sscanf(argv[i]+14, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for fail_interval argument"); -+ } else { -+ opts->fail_interval = temp; -+ } -+ } -+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) { -+ unsigned int temp; -+ -+ if (strcmp(argv[i]+12, "never") == 0) { -+ opts->unlock_time = 0; -+ } -+ else if (sscanf(argv[i]+12, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for unlock_time argument"); -+ } -+ else { -+ opts->unlock_time = temp; -+ } -+ } -+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) { -+ unsigned int temp; -+ -+ if (strcmp(argv[i]+17, "never") == 0) { -+ opts->root_unlock_time = 0; -+ } -+ else if (sscanf(argv[i]+17, "%u", &temp) != 1 || -+ temp > MAX_TIME_INTERVAL) { -+ pam_syslog(pamh, LOG_ERR, -+ "Bad number supplied for root_unlock_time argument"); -+ } else { -+ opts->root_unlock_time = temp; -+ } -+ } -+ else if (strcmp(argv[i], "preauth") == 0) { -+ opts->action = FAILLOCK_ACTION_PREAUTH; -+ } -+ else if (strcmp(argv[i], "authfail") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHFAIL; -+ } -+ else if (strcmp(argv[i], "authsucc") == 0) { -+ opts->action = FAILLOCK_ACTION_AUTHSUCC; -+ } -+ else if (strcmp(argv[i], "even_deny_root") == 0) { -+ opts->flags |= FAILLOCK_FLAG_DENY_ROOT; -+ } -+ else if (strcmp(argv[i], "audit") == 0) { -+ opts->flags |= FAILLOCK_FLAG_AUDIT; -+ } -+ else if (strcmp(argv[i], "silent") == 0) { -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+ } -+ else if (strcmp(argv[i], "no_log_info") == 0) { -+ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO; -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]); -+ } -+ } -+ -+ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1) -+ opts->root_unlock_time = opts->unlock_time; -+ if (flags & PAM_SILENT) -+ opts->flags |= FAILLOCK_FLAG_SILENT; -+} -+ -+static int get_pam_user(pam_handle_t *pamh, struct options *opts) -+{ -+ const char *user; -+ int rv; -+ struct passwd *pwd; -+ -+ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ if (*user == '\0') { -+ return PAM_IGNORE; -+ } -+ -+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { -+ if (opts->flags & FAILLOCK_FLAG_AUDIT) { -+ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user); -+ } -+ else { -+ pam_syslog(pamh, LOG_ERR, "User unknown"); -+ } -+ return PAM_IGNORE; -+ } -+ opts->user = user; -+ opts->uid = pwd->pw_uid; -+ return PAM_SUCCESS; -+} -+ -+static int -+check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ int tfd; -+ unsigned int i; -+ uint64_t latest_time; -+ int failures; -+ -+ opts->now = time(NULL); -+ -+ tfd = open_tally(opts->dir, opts->user, opts->uid, 0); -+ -+ *fd = tfd; -+ -+ if (tfd == -1) { -+ if (errno == EACCES || errno == ENOENT) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (read_tally(tfd, tallies) != 0) { -+ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ latest_time = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ tallies->records[i].time > latest_time) -+ latest_time = tallies->records[i].time; -+ } -+ -+ opts->latest_time = latest_time; -+ -+ failures = 0; -+ for(i = 0; i < tallies->count; i++) { -+ if ((tallies->records[i].status & TALLY_STATUS_VALID) && -+ latest_time - tallies->records[i].time < opts->fail_interval) { -+ ++failures; -+ } -+ } -+ -+ opts->failures = failures; -+ -+ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ return PAM_SUCCESS; -+ } -+ -+ if (opts->deny && failures >= opts->deny) { -+ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) || -+ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) { -+#ifdef HAVE_LIBAUDIT -+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */ -+ char buf[64]; -+ int audit_fd; -+ const void *rhost = NULL, *tty = NULL; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ (void)pam_get_item(pamh, PAM_TTY, &tty); -+ (void)pam_get_item(pamh, PAM_RHOST, &rhost); -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, -+ rhost, NULL, tty, 1); -+ } -+#endif -+ opts->flags |= FAILLOCK_FLAG_UNLOCKED; -+ return PAM_SUCCESS; -+ } -+ return PAM_AUTH_ERR; -+ } -+ return PAM_SUCCESS; -+} -+ -+static void -+reset_tally(pam_handle_t *pamh, struct options *opts, int *fd) -+{ -+ int rv; -+ -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ else { -+ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR); -+ if (rv == -1) { -+ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user); -+ } -+ } -+} -+ -+static int -+write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd) -+{ -+ struct tally *records; -+ unsigned int i; -+ int failures; -+ unsigned int oldest; -+ uint64_t oldtime; -+ const void *source = NULL; -+ -+ if (*fd == -1) { -+ *fd = open_tally(opts->dir, opts->user, opts->uid, 1); -+ } -+ if (*fd == -1) { -+ if (errno == EACCES) { -+ return PAM_SUCCESS; -+ } -+ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user); -+ return PAM_SYSTEM_ERR; -+ } -+ -+ oldtime = 0; -+ oldest = 0; -+ failures = 0; -+ -+ for (i = 0; i < tallies->count; ++i) { -+ if (tallies->records[i].time < oldtime) { -+ oldtime = tallies->records[i].time; -+ oldest = i; -+ } -+ if (opts->flags & FAILLOCK_FLAG_UNLOCKED || -+ opts->now - tallies->records[i].time >= opts->fail_interval ) { -+ tallies->records[i].status &= ~TALLY_STATUS_VALID; -+ } else { -+ ++failures; -+ } -+ } -+ -+ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) { -+ oldest = tallies->count; -+ -+ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) { -+ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m"); -+ return PAM_BUF_ERR; -+ } -+ -+ ++tallies->count; -+ tallies->records = records; -+ } -+ -+ memset(&tallies->records[oldest], 0, sizeof (*tallies->records)); -+ -+ tallies->records[oldest].status = TALLY_STATUS_VALID; -+ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) { -+ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) { -+ source = ""; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_TTY; -+ } -+ } -+ else { -+ tallies->records[oldest].status |= TALLY_STATUS_RHOST; -+ } -+ -+ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source)); -+ /* source does not have to be null terminated */ -+ -+ tallies->records[oldest].time = opts->now; -+ -+ ++failures; -+ -+ if (opts->deny && failures == opts->deny) { -+#ifdef HAVE_LIBAUDIT -+ char buf[64]; -+ int audit_fd; -+ -+ audit_fd = audit_open(); -+ /* If there is an error & audit support is in the kernel report error */ -+ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT)) -+ return PAM_SYSTEM_ERR; -+ -+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); -+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, -+ NULL, NULL, NULL, 1); -+ -+ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) { -+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf, -+ NULL, NULL, NULL, 1); -+ } -+ close(audit_fd); -+#endif -+ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) { -+ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked", -+ opts->user); -+ } -+ } -+ -+ if (update_tally(*fd, tallies) == 0) -+ return PAM_SUCCESS; -+ -+ return PAM_SYSTEM_ERR; -+} -+ -+static void -+faillock_message(pam_handle_t *pamh, struct options *opts) -+{ -+ int64_t left; -+ -+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) { -+ if (opts->uid) { -+ left = opts->latest_time + opts->unlock_time - opts->now; -+ } -+ else { -+ left = opts->latest_time + opts->root_unlock_time - opts->now; -+ } -+ -+ if (left > 0) { -+ left = (left + 59)/60; /* minutes */ -+ -+ pam_info(pamh, _("Account temporarily locked due to %d failed logins"), -+ opts->failures); -+ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left); -+ } -+ else { -+ pam_info(pamh, _("Account locked due to %d failed logins"), -+ opts->failures); -+ } -+ } -+} -+ -+static void -+tally_cleanup(struct tally_data *tallies, int fd) -+{ -+ if (fd != -1) { -+ close(fd); -+ } -+ -+ free(tallies->records); -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ switch (opts.action) { -+ case FAILLOCK_ACTION_PREAUTH: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) { -+ faillock_message(pamh, &opts); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHSUCC: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS) { -+ reset_tally(pamh, &opts, &fd); -+ } -+ break; -+ -+ case FAILLOCK_ACTION_AUTHFAIL: -+ rv = check_tally(pamh, &opts, &tallies, &fd); -+ if (rv == PAM_SUCCESS) { -+ rv = PAM_IGNORE; /* this return value should be ignored */ -+ write_tally(pamh, &opts, &tallies, &fd); -+ } -+ break; -+ } -+ -+ tally_cleanup(&tallies, fd); -+ -+ return rv; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, -+ int argc UNUSED, const char **argv UNUSED) -+{ -+ return PAM_SUCCESS; -+} -+ -+/*---------------------------------------------------------------------*/ -+ -+PAM_EXTERN int -+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, -+ int argc, const char **argv) -+{ -+ struct options opts; -+ int rv, fd = -1; -+ struct tally_data tallies; -+ -+ memset(&tallies, 0, sizeof(tallies)); -+ -+ args_parse(pamh, argc, argv, flags, &opts); -+ -+ opts.action = FAILLOCK_ACTION_AUTHSUCC; -+ -+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { -+ return rv; -+ } -+ -+ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */ -+ reset_tally(pamh, &opts, &fd); -+ -+ tally_cleanup(&tallies, fd); -+ -+ return PAM_SUCCESS; -+} -+ -+/*-----------------------------------------------------------------------*/ -+ -+#ifdef PAM_STATIC -+ -+/* static module data */ -+ -+struct pam_module _pam_faillock_modstruct = { -+ MODULE_NAME, -+#ifdef PAM_SM_AUTH -+ pam_sm_authenticate, -+ pam_sm_setcred, -+#else -+ NULL, -+ NULL, -+#endif -+#ifdef PAM_SM_ACCOUNT -+ pam_sm_acct_mgmt, -+#else -+ NULL, -+#endif -+ NULL, -+ NULL, -+ NULL, -+}; -+ -+#endif /* #ifdef PAM_STATIC */ -+ -diff --git a/modules/pam_faillock/tst-pam_faillock b/modules/pam_faillock/tst-pam_faillock -new file mode 100755 -index 0000000..ec454c2 ---- /dev/null -+++ b/modules/pam_faillock/tst-pam_faillock -@@ -0,0 +1,2 @@ -+#!/bin/sh -+../../tests/tst-dlopen .libs/pam_faillock.so --- -2.19.1 - diff --git a/pam.spec b/pam.spec index 195fd4840d078d28213b124ada3acab91c751f07..7f4e8f229b6b49e24b58a631f42c5b0437396ce2 100644 --- a/pam.spec +++ b/pam.spec @@ -3,8 +3,8 @@ %define _secconfdir %{_sysconfdir}/security %define _pamconfdir %{_sysconfdir}/pam.d Name: pam -Version: 1.3.1 -Release: 9 +Version: 1.4.0 +Release: 1 Summary: Pluggable Authentication Modules for Linux License: BSD and GPLv2+ URL: http://www.linux-pam.org/ @@ -18,12 +18,9 @@ Source15: pamtmp.conf Source16: postlogin.pamd Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt -Patch0000: pam-1.2.1-faillock.patch -Patch0001: pam-1.2.1-faillock-admin-group.patch - -Patch0002: bugfix-pam-1.1.8-faillock-failmessages.patch -Patch0003: bugfix-pam-1.1.8-faillock-systemtime.patch -Patch0004: fix-login-message.patch +Patch0: bugfix-pam-1.1.8-faillock-failmessages.patch +Patch1: bugfix-pam-1.1.8-faillock-systemtime.patch +Patch2: fix-login-message.patch BuildRequires: autoconf automake libtool bison flex sed cracklib-devel BuildRequires: perl-interpreter pkgconfig gettext-devel libtirpc-devel libnsl2-devel @@ -61,7 +58,10 @@ autoreconf -i --libdir=%{_pamlibdir} \ --includedir=%{_includedir}/security \ --disable-static \ - --disable-prelude + --disable-prelude \ + --enable-cracklib \ + --enable-tally \ + --enable-tally2 make -C po update-gmo %make_build @@ -133,9 +133,11 @@ fi %{_sbindir}/pam_tally2 %{_sbindir}/faillock %{_sbindir}/mkhomedir_helper +%{_sbindir}/pam_namespace_helper %dir %{_moduledir} %{_moduledir}/pam*.so %{_moduledir}/pam_filter/ +%{_prefix}/lib/systemd/system/pam_namespace.service %dir %{_secconfdir} %config(noreplace) %{_secconfdir}/access.conf %config(noreplace) %{_secconfdir}/group.conf @@ -148,6 +150,7 @@ fi %config(noreplace) %{_secconfdir}/time.conf %config(noreplace) %{_secconfdir}/opasswd %config(noreplace) %{_secconfdir}/sepermit.conf +%config(noreplace) %{_secconfdir}/faillock.conf %dir /var/run/sepermit %ghost %verify(not md5 size mtime) /var/log/tallylog %dir /var/run/faillock @@ -168,6 +171,9 @@ fi %changelog +* Fri Aug 7 2020 luhuaxin - 1.4.0-1 +- update to 1.4.0 + * Wed Jun 17 2020 Liquor - 1.3.1-9 - fix login message diff --git a/pam.yaml b/pam.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f243752c4d5d36e1b190d0917a5dc40bf8051ae8 --- /dev/null +++ b/pam.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: linux-pam/linux-pamp +tag_prefix: ^v +seperator: .