diff options
| author | Sebastien Tricaud <toady@gscore.org> | 2005-01-16 22:12:24 +0000 |
|---|---|---|
| committer | Sebastien Tricaud <toady@gscore.org> | 2005-01-16 22:12:24 +0000 |
| commit | 265d8a5b9d5df51af0e5b0b62b0d390ec04872ae (patch) | |
| tree | 0b25a94ed7c401e81fdb7973744ac9d0fe7a767d | |
| parent | ea0ecd8c547fc83619b00ebfb6cf15fedddac4b5 (diff) | |
| download | pam-265d8a5b9d5df51af0e5b0b62b0d390ec04872ae.tar.gz pam-265d8a5b9d5df51af0e5b0b62b0d390ec04872ae.tar.bz2 pam-265d8a5b9d5df51af0e5b0b62b0d390ec04872ae.zip | |
Audit option added
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | doc/modules/pam_tally.sgml | 5 | ||||
| -rw-r--r-- | modules/pam_tally/README | 1 | ||||
| -rw-r--r-- | modules/pam_tally/pam_tally.c | 19 |
4 files changed, 20 insertions, 6 deletions
@@ -62,6 +62,7 @@ BerliOS Bugs are marked with (BerliOS #XXXX). 0.79: please submit patches for this section with actual code/doc patches! +* pam_tally: added audit option (toady) * pam_unix: don't log user unknown failure when he can be properly authenticated by another module (t8m) * configure: don't abort if no cracklib dictinaries were found, but diff --git a/doc/modules/pam_tally.sgml b/doc/modules/pam_tally.sgml index 44c6f4ed..afff25ca 100644 --- a/doc/modules/pam_tally.sgml +++ b/doc/modules/pam_tally.sgml @@ -73,6 +73,11 @@ of usernames would be much more flexible <item> <tt>file=</tt><em>/where/to/keep/counts</em>: specify the file location for the counts. The default location is <tt>/var/log/faillog</tt>. +<item> <tt>audit</tt>: + display the username typed if the user is not found. It may be + useful for scripts, but you should know users often type their + password instead making your system weaker. Activate it only if you + know what you are doing. </itemize> <sect2>Authentication component diff --git a/modules/pam_tally/README b/modules/pam_tally/README index 6c7d87f4..c8b715bd 100644 --- a/modules/pam_tally/README +++ b/modules/pam_tally/README @@ -9,6 +9,7 @@ SUMMARY: * onerr=[succeed|fail] (if something weird happens such as unable to open the file, what to do?) * file=/where/to/keep/counts (default /var/log/faillog) + * audit (will display the username typed if the user is not found) (auth) Authentication phase first checks if user should be denied access diff --git a/modules/pam_tally/pam_tally.c b/modules/pam_tally/pam_tally.c index 134f7f32..637f6172 100644 --- a/modules/pam_tally/pam_tally.c +++ b/modules/pam_tally/pam_tally.c @@ -11,6 +11,7 @@ * Stuff stolen from pam_rootok and pam_listfile * * Changes by Tomas Mraz <tmraz@redhat.com> 5 January 2005 + * Audit option added for Tomas patch by Sebastien Tricaud <toady@gscore.org> 13 January 2005 */ #include <security/_pam_aconf.h> @@ -94,6 +95,7 @@ struct tally_options { #define OPT_PER_USER 010 #define OPT_NO_LOCK_TIME 020 #define OPT_NO_RESET 040 +#define OPT_AUDIT 100 /*---------------------------------------------------------------------*/ @@ -193,6 +195,9 @@ static int tally_parse_args( struct tally_options *opts, int phase, else if ( ! strcmp( *argv, "no_reset" ) ) { opts->ctrl |= OPT_NO_RESET; } + else if ( ! strcmp ( *argv, "audit") ) { + opts->ctrl |= OPT_AUDIT; + } else { _pam_log(LOG_ERR, MODULE_NAME ": unknown option; %s",*argv); } @@ -210,7 +215,7 @@ static int tally_parse_args( struct tally_options *opts, int phase, static char *cline_user=0; /* cline_user is used in the administration prog */ #endif -static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp ) +static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp, struct tally_options *opts) { const char *user = NULL; struct passwd *pw; @@ -227,7 +232,9 @@ static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp ) } if ( ! ( pw = _pammodutil_getpwnam( pamh, user ) ) ) { - _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user); + opts->ctrl & OPT_AUDIT ? + _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user) : + _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; user unknown"); return PAM_USER_UNKNOWN; } @@ -589,7 +596,7 @@ PAM_FUNCTION( pam_sm_authenticate ) { if ( rvcheck != PAM_SUCCESS ) RETURN_ERROR( rvcheck ); - rvcheck = pam_get_uid(pamh, &uid, &user); + rvcheck = pam_get_uid(pamh, &uid, &user, opts); if ( rvcheck != PAM_SUCCESS ) RETURN_ERROR( rvcheck ); @@ -617,7 +624,7 @@ PAM_FUNCTION( pam_sm_setcred ) { if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); - rv = pam_get_uid(pamh, &uid, &user); + rv = pam_get_uid(pamh, &uid, &user, opts); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); @@ -656,7 +663,7 @@ PAM_FUNCTION( pam_sm_acct_mgmt ) { if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); - rv = pam_get_uid(pamh, &uid, &user); + rv = pam_get_uid(pamh, &uid, &user, opts); if ( rv != PAM_SUCCESS ) RETURN_ERROR( rv ); @@ -763,7 +770,7 @@ int main ( int argc, char **argv ) { uid_t uid; tally_t tally=cline_reset; FILE *TALLY=0; - int i=pam_get_uid( NULL, &uid, NULL); + int i=pam_get_uid( NULL, &uid, NULL, NULL); if ( i != PAM_SUCCESS ) { fprintf(stderr,"%s: %s\n",*argv,pam_errors(i)); exit(0); |