mirror of
https://github.com/linux-pam/linux-pam.git
synced 2024-11-27 19:53:37 +08:00
Relevant BUGIDs:
Purpose of commit: new feature
Commit summary:
---------------
2006-12-06 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_faildelay/pam_faildelay.c: If no argument is
given, try to read FAIL_DELAY from /etc/login.defs.
* modules/pam_faildelay/pam_faildelay.8.xml: Document usage
of /etc/login.defs.
This commit is contained in:
Thorsten Kukuk
parent
a4cef64893
commit
98822a2108
@ -5,6 +5,11 @@
|
||||
(create_homedir): Mark user visible messages for translation.
|
||||
* po/de.po: Adjust german translation for pam_mkhomedir.
|
||||
|
||||
* modules/pam_faildelay/pam_faildelay.c: If no argument is
|
||||
given, try to read FAIL_DELAY from /etc/login.defs.
|
||||
* modules/pam_faildelay/pam_faildelay.8.xml: Document usage
|
||||
of /etc/login.defs.
|
||||
|
||||
2006-12-04 Tomas Mraz <t8m@centrun.cz>
|
||||
|
||||
* po/jp.po: Fixed mistake in Password: message (from
|
||||
|
||||
@ -7,6 +7,9 @@ DESCRIPTION
|
||||
pam_faildelay is a PAM module that can be used to set the delay on failure
|
||||
per-application.
|
||||
|
||||
If no delay is given, pam_faildelay will use the value of FAIL_DELAY from /etc/
|
||||
login.defs.
|
||||
|
||||
OPTIONS
|
||||
|
||||
debug
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
.\" Title: pam_faildelay
|
||||
.\" Author:
|
||||
.\" Generator: DocBook XSL Stylesheets v1.71.0 <http://docbook.sf.net/>
|
||||
.\" Date: 11/28/2006
|
||||
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
|
||||
.\" Date: 12/06/2006
|
||||
.\" Manual: Linux\-PAM Manual
|
||||
.\" Source: Linux\-PAM Manual
|
||||
.\"
|
||||
.TH "PAM_FAILDELAY" "8" "11/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
|
||||
.TH "PAM_FAILDELAY" "8" "12/06/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
|
||||
.\" disable hyphenation
|
||||
.nh
|
||||
.\" disable justification (adjust text to left margin only)
|
||||
@ -18,33 +18,30 @@ pam_faildelay \- Change the delay on failure per\-application
|
||||
.SH "DESCRIPTION"
|
||||
.PP
|
||||
pam_faildelay is a PAM module that can be used to set the delay on failure per\-application.
|
||||
.PP
|
||||
If no
|
||||
\fBdelay\fR
|
||||
is given, pam_faildelay will use the value of FAIL_DELAY from
|
||||
\fI/etc/login.defs\fR.
|
||||
.SH "OPTIONS"
|
||||
.PP
|
||||
.TP 3n
|
||||
\fBdebug\fR
|
||||
.RS 3n
|
||||
Turns on debugging messages sent to syslog.
|
||||
.RE
|
||||
.PP
|
||||
.TP 3n
|
||||
\fBdelay=\fR\fB\fIN\fR\fR
|
||||
.RS 3n
|
||||
Set the delay on failure to N microseconds.
|
||||
.RE
|
||||
.SH "MODULE SERVICES PROVIDED"
|
||||
.PP
|
||||
Only the
|
||||
\fBauth\fR
|
||||
service is supported.
|
||||
.SH "RETURN VALUES"
|
||||
.PP
|
||||
.TP 3n
|
||||
PAM_IGNORE
|
||||
.RS 3n
|
||||
Delay was successful adjusted.
|
||||
.RE
|
||||
.PP
|
||||
.TP 3n
|
||||
PAM_SYSTEM_ERR
|
||||
.RS 3n
|
||||
The specified delay was not valid.
|
||||
.RE
|
||||
.SH "EXAMPLES"
|
||||
.PP
|
||||
The following example will set the delay on failure to 10 seconds:
|
||||
|
||||
@ -35,7 +35,10 @@
|
||||
pam_faildelay is a PAM module that can be used to set
|
||||
the delay on failure per-application.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If no <option>delay</option> is given, pam_faildelay will
|
||||
use the value of FAIL_DELAY from <filename>/etc/login.defs</filename>.
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id="pam_faildelay-options">
|
||||
|
||||
@ -11,10 +11,16 @@
|
||||
* auth required pam_faildelay.so delay=10000000
|
||||
* will set the delay on failure to 10 seconds.
|
||||
*
|
||||
* If no delay option was given, pam_faildelay.so will use the
|
||||
* FAIL_DELAY value of /etc/login.defs.
|
||||
*
|
||||
* Based on pam_rootok and parts of pam_unix both by Andrew Morgan
|
||||
* <morgan@linux.kernel.org>
|
||||
*
|
||||
* Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
|
||||
* - Rewrite to use extended PAM functions
|
||||
* - Add /etc/login.defs support
|
||||
*
|
||||
* Portions Copyright (c) 2005 Darren Tucker <dtucker at zip com au>.
|
||||
*
|
||||
* Redistribution and use in source and binary forms of, with
|
||||
@ -55,10 +61,14 @@
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#include <errno.h>
|
||||
#include <ctype.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <unistd.h>
|
||||
#include <syslog.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
@ -67,6 +77,79 @@
|
||||
#include <security/pam_ext.h>
|
||||
|
||||
|
||||
#define BUF_SIZE 8192
|
||||
#define LOGIN_DEFS "/etc/login.defs"
|
||||
|
||||
static char *
|
||||
search_key (const char *filename)
|
||||
{
|
||||
FILE *fp;
|
||||
char *buf = NULL;
|
||||
size_t buflen = 0;
|
||||
char *retval = NULL;
|
||||
|
||||
fp = fopen (filename, "r");
|
||||
if (NULL == fp)
|
||||
return NULL;
|
||||
|
||||
while (!feof (fp))
|
||||
{
|
||||
char *tmp, *cp;
|
||||
#if defined(HAVE_GETLINE)
|
||||
ssize_t n = getline (&buf, &buflen, fp);
|
||||
#elif defined (HAVE_GETDELIM)
|
||||
ssize_t n = getdelim (&buf, &buflen, '\n', fp);
|
||||
#else
|
||||
ssize_t n;
|
||||
|
||||
if (buf == NULL)
|
||||
{
|
||||
buflen = BUF_SIZE;
|
||||
buf = malloc (buflen);
|
||||
}
|
||||
buf[0] = '\0';
|
||||
if (fgets (buf, buflen - 1, fp) == NULL)
|
||||
break;
|
||||
else if (buf != NULL)
|
||||
n = strlen (buf);
|
||||
else
|
||||
n = 0;
|
||||
#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
||||
cp = buf;
|
||||
|
||||
if (n < 1)
|
||||
break;
|
||||
|
||||
tmp = strchr (cp, '#'); /* remove comments */
|
||||
if (tmp)
|
||||
*tmp = '\0';
|
||||
while (isspace ((int)*cp)) /* remove spaces and tabs */
|
||||
++cp;
|
||||
if (*cp == '\0') /* ignore empty lines */
|
||||
continue;
|
||||
|
||||
if (cp[strlen (cp) - 1] == '\n')
|
||||
cp[strlen (cp) - 1] = '\0';
|
||||
|
||||
tmp = strsep (&cp, " \t=");
|
||||
if (cp != NULL)
|
||||
while (isspace ((int)*cp) || *cp == '=')
|
||||
++cp;
|
||||
|
||||
if (strcasecmp (tmp, "FAIL_DELAY") == 0)
|
||||
{
|
||||
retval = strdup (cp);
|
||||
break;
|
||||
}
|
||||
}
|
||||
fclose (fp);
|
||||
|
||||
free (buf);
|
||||
|
||||
return retval;
|
||||
}
|
||||
|
||||
|
||||
/* --- authentication management functions (only) --- */
|
||||
|
||||
PAM_EXTERN
|
||||
@ -74,7 +157,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
|
||||
int argc, const char **argv)
|
||||
{
|
||||
int i, debug_flag = 0;
|
||||
long int delay = 0;
|
||||
long int delay = -1;
|
||||
|
||||
/* step through arguments */
|
||||
for (i = 0; i < argc; i++) {
|
||||
@ -86,6 +169,31 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
|
||||
pam_syslog (pamh, LOG_ERR, "unknown option; %s", argv[i]);
|
||||
}
|
||||
|
||||
if (delay == -1)
|
||||
{
|
||||
char *endptr;
|
||||
char *val = search_key (LOGIN_DEFS);
|
||||
const char *val_orig = val;
|
||||
|
||||
if (val == NULL)
|
||||
return PAM_IGNORE;
|
||||
|
||||
errno = 0;
|
||||
delay = strtol (val, &endptr, 10) & 0777;
|
||||
if (((delay == 0) && (val_orig == endptr)) ||
|
||||
((delay == LONG_MIN || delay == LONG_MAX) && (errno == ERANGE)))
|
||||
{
|
||||
pam_syslog (pamh, LOG_ERR, "FAIL_DELAY=%s in %s not valid",
|
||||
val, LOGIN_DEFS);
|
||||
free (val);
|
||||
return PAM_IGNORE;
|
||||
}
|
||||
|
||||
free (val);
|
||||
/* delay is in seconds, convert to microseconds. */
|
||||
delay *= 1000000;
|
||||
}
|
||||
|
||||
if (debug_flag)
|
||||
pam_syslog (pamh, LOG_DEBUG, "setting fail delay to %ld", delay);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user