Navigation

← Previous Changeset
Next Changeset →

Changeset 43

Timestamp:

05/22/07 14:36:33 (2 years ago)

Author:

csellers

Message:

basic working deny_interval support

Files:

trunk/RHEL5/pam_tally2/README (modified) (1 diff)
trunk/RHEL5/pam_tally2/pam_tally.c (modified) (4 diffs)
trunk/RHEL5/pam_tally2/pseudo.txt (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5/pam_tally2/README

r37	r43
22	22	magic root.
23	23	* deny=n (Deny access if tally for this user exceeds n.)
	24
	25	* deny_interval=n (Only deny access if tally for this user
	26	exceeds limit within n second time interval. Requires
	27	deny=8 or less.)
24	28
25	29	* lock_time=n (Deny access for n seconds after every failed

trunk/RHEL5/pam_tally2/pam_tally.c

r41	r43
97	97	const char *filename;
98	98	tally_t deny;
	99	unsigned long deny_interval;
99	100	long lock_time;
100	101	long unlock_time;
…	…
200	201	log_phase_no_auth(pamh, phase, *argv);
201	202	if ( sscanf((*argv)+12,"%ld",&opts->unlock_time) != 1 ) {
	203	pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv);
	204	return PAM_AUTH_ERR;
	205	}
	206	}
	207	else if ( ! strncmp( *argv, "deny_interval=", 14 ) ) {
	208	log_phase_no_auth(pamh, phase, *argv);
	209	if ( sscanf((*argv)+14,"%ld",&opts->deny_interval) != 1 ) {
202	210	pam_syslog(pamh, LOG_ERR, "bad number supplied: %s", *argv);
203	211	return PAM_AUTH_ERR;
…	…
555	563	const void *remote_host = NULL;
556	564	int i, rv;
	565	uint16_t last_fail;
557	566
558	567	tally.fail_cnt = 0; /* !TALLY_HI --> Log opened for update */
…	…
565	574	}
566	575
	576	last_fail = (tally.fail_cnt>TALLYLOG_FAIL_TIME_COUNT) ?
	577	TALLYLOG_FAIL_TIME_COUNT-1 :
	578	tally.fail_cnt-1;
	579
567	580	/* to remember old fail time (for locktime) */
568	581	if (oldtime && tally.fail_cnt > 0) {
569		*oldtime = (time_t)tally.fail_time[
570		(tally.fail_cnt>TALLYLOG_FAIL_TIME_COUNT) ?
	582	*oldtime = (time_t)tally.fail_time[last_fail];
	583	}
	584
	585	last_fail = (tally.fail_cnt>=TALLYLOG_FAIL_TIME_COUNT) ?
571	586	TALLYLOG_FAIL_TIME_COUNT-1 :
572		tally.fail_cnt-1];
573		}
574
575		tally.fail_time[(tally.fail_cnt>=TALLYLOG_FAIL_TIME_COUNT) ?
576		TALLYLOG_FAIL_TIME_COUNT-1 :
577		tally.fail_cnt] = time(NULL);
578
	587	tally.fail_cnt;
	588
	589	tally.fail_time[last_fail] = time(NULL);
	590
	591	while (opts->deny_interval &&
	592	tally.fail_cnt < opts->deny &&
	593	tally.fail_time[last_fail]-tally.fail_time[0]>opts->deny_interval) {
	594	for (i=0 ; i<last_fail-1 ; i++) {
	595	tally.fail_time[i] = tally.fail_time[i+1];
	596	}
	597	tally.fail_time[last_fail] = 0;
	598	tally.fail_cnt--;
	599	last_fail--;
	600	}
579	601	(void) pam_get_item(pamh, PAM_RHOST, &remote_host);
580	602	if (!remote_host) {

trunk/RHEL5/pam_tally2/pseudo.txt

r39	r43
57	57	save old fail_time[fail_cnt-1] in oldtime
58	58	fail_time[fail_cnt] = current time
	59	if (deny_interval and not previously exceeded limit)
	60	while fail_time[fail_cnt] - fail_time[0] > deny_interval
	61	shift fail_time values left
	62	fail_cnt--
59	63	save old fail_cnt in oldcnt
60	64	if not magic_root option or uid not root

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.