Changeset 55
- Timestamp:
- 05/25/07 10:05:35
(2 years ago)
- Author:
- csellers
- Message:
rename to pam_tally3
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r37 |
r55 |
|
| 15 | 15 | AM_LDFLAGS = -no-undefined -L$(top_builddir)/libpam -lpam $(LIBAUDIT) |
|---|
| 16 | 16 | |
|---|
| 17 | | pam_tally2_la_LDFLAGS = -avoid-version -module |
|---|
| | 17 | pam_tally3_la_LDFLAGS = -avoid-version -module |
|---|
| 18 | 18 | if HAVE_VERSIONING |
|---|
| 19 | | pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map |
|---|
| | 19 | pam_tally3_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map |
|---|
| 20 | 20 | endif |
|---|
| 21 | 21 | |
|---|
| 22 | | securelib_LTLIBRARIES = pam_tally2.la |
|---|
| 23 | | sbin_PROGRAMS = pam_tally2 |
|---|
| | 22 | securelib_LTLIBRARIES = pam_tally3.la |
|---|
| | 23 | sbin_PROGRAMS = pam_tally3 |
|---|
| 24 | 24 | |
|---|
| 25 | | pam_tally2_la_SOURCES = pam_tally.c |
|---|
| 26 | | pam_tally2_SOURCES = pam_tally_app.c |
|---|
| | 25 | pam_tally3_la_SOURCES = pam_tally.c |
|---|
| | 26 | pam_tally3_SOURCES = pam_tally_app.c |
|---|
| r47 |
r55 |
|
| 1 | 1 | SUMMARY: |
|---|
| 2 | | pam_tally2.so: |
|---|
| | 2 | pam_tally3.so: |
|---|
| 3 | 3 | |
|---|
| 4 | 4 | Maintains a count of attempted accesses, can reset count on success, |
|---|
| … | … | |
| 64 | 64 | LONGER: |
|---|
| 65 | 65 | |
|---|
| 66 | | pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. |
|---|
| | 66 | pam_tally3 comes in two parts: pam_tally3.so and pam_tally3. |
|---|
| 67 | 67 | |
|---|
| 68 | | pam_tally2.so sits in a pam config file, in the auth and account sections. |
|---|
| | 68 | pam_tally3.so sits in a pam config file, in the auth and account sections. |
|---|
| 69 | 69 | |
|---|
| 70 | 70 | In the auth section, it denies access if attempted logins exceed some |
|---|
| … | … | |
| 89 | 89 | blocked for some given service, use even_deny_root_account. |
|---|
| 90 | 90 | |
|---|
| 91 | | pam_tally2 is an (optional) application which can be used to interrogate and |
|---|
| | 91 | pam_tally3 is an (optional) application which can be used to interrogate and |
|---|
| 92 | 92 | manipulate the counter file. It can display users' counts, set individual |
|---|
| 93 | 93 | counts, or clear all counts. Setting artificially high counts may be useful |
|---|
| … | … | |
| 101 | 101 | BUGS: |
|---|
| 102 | 102 | |
|---|
| 103 | | pam_tally2 is not compatible with the old pam_tally faillog file format. |
|---|
| | 103 | pam_tally3 is not compatible with the old pam_tally faillog file format. |
|---|
| 104 | 104 | |
|---|
| 105 | 105 | There is no setuid wrapper for access to the data file such as when the |
|---|
| 106 | | pam_tally2 module is called from xscreensaver. As this would make it |
|---|
| | 106 | pam_tally3 module is called from xscreensaver. As this would make it |
|---|
| 107 | 107 | impossible to share PAM configuration with such services the following |
|---|
| 108 | 108 | workaround is used: If the data file cannot be opened because of insufficient |
|---|
| … | … | |
| 117 | 117 | |
|---|
| 118 | 118 | The pam_tally was also incompatible between 32bit and 64bit versions because |
|---|
| 119 | | the faillog format was architecture dependent. The new pam_tally2 uses a new |
|---|
| | 119 | the faillog format was architecture dependent. The new pam_tally3 uses a new |
|---|
| 120 | 120 | data file format and thus the file was renamed to /var/log/tallylog. |
|---|
| r47 |
r55 |
|
| 85 | 85 | /*---------------------------------------------------------------------*/ |
|---|
| 86 | 86 | |
|---|
| 87 | | #define DEFAULT_LOGFILE "/var/log/tallylog |
|---|
| 88 | | #define MODULE_NAME "pam_tally2" |
|---|
| | 87 | #define DEFAULT_LOGFILE "/var/log/tallylog3" |
|---|
| | 88 | #define MODULE_NAME "pam_tally3" |
|---|
| 89 | 89 | |
|---|
| 90 | 90 | #define tally_t uint16_t |
|---|
| … | … | |
| 464 | 464 | if (tally->fail_cnt == opts->deny+1) { |
|---|
| 465 | 465 | /* First say that max number was hit. */ |
|---|
| 466 | | snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); |
|---|
| | 466 | snprintf(buf, sizeof(buf), "pam_tally3 uid=%u ", uid); |
|---|
| 467 | 467 | audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, |
|---|
| 468 | 468 | NULL, NULL, NULL, 1); |
|---|
| … | … | |
| 475 | 475 | /* ignore deny check after unlock_time elapsed */ |
|---|
| 476 | 476 | #ifdef HAVE_LIBAUDIT |
|---|
| 477 | | snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); |
|---|
| | 477 | snprintf(buf, sizeof(buf), "pam_tally3 uid=%u ", uid); |
|---|
| 478 | 478 | audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, |
|---|
| 479 | 479 | NULL, NULL, NULL, 1); |
|---|
| … | … | |
| 489 | 489 | /* ignore deny check after unlock_time elapsed */ |
|---|
| 490 | 490 | #ifdef HAVE_LIBAUDIT |
|---|
| 491 | | snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid); |
|---|
| | 491 | snprintf(buf, sizeof(buf), "pam_tally3 uid=%u ", uid); |
|---|
| 492 | 492 | audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, |
|---|
| 493 | 493 | NULL, NULL, NULL, 1); |
|---|
| … | … | |
| 932 | 932 | char buf[64]; |
|---|
| 933 | 933 | int audit_fd = audit_open(); |
|---|
| 934 | | snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset); |
|---|
| | 934 | snprintf(buf, sizeof(buf), "pam_tally3 uid=%u reset=%hu", uid, cline_reset); |
|---|
| 935 | 935 | audit_log_user_message(audit_fd, AUDIT_USER_ACCT, |
|---|
| 936 | 936 | buf, NULL, NULL, NULL, 1); |
|---|
| … | … | |
| 977 | 977 | char buf[64]; |
|---|
| 978 | 978 | int audit_fd = audit_open(); |
|---|
| 979 | | snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0"); |
|---|
| | 979 | snprintf(buf, sizeof(buf), "pam_tally3 uid=all reset=0"); |
|---|
| 980 | 980 | audit_log_user_message(audit_fd, AUDIT_USER_ACCT, |
|---|
| 981 | 981 | buf, NULL, NULL, NULL, 1); |
|---|
Download in other formats:
* Generating other formats may take time.
