diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_tally/pam_tally.8 | 256 | ||||
-rw-r--r-- | modules/pam_tally/pam_tally.8.xml | 459 |
2 files changed, 715 insertions, 0 deletions
diff --git a/modules/pam_tally/pam_tally.8 b/modules/pam_tally/pam_tally.8 new file mode 100644 index 0000000..f4d3350 --- /dev/null +++ b/modules/pam_tally/pam_tally.8 @@ -0,0 +1,256 @@ +'\" t +.\" Title: pam_tally +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 06/08/2020 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TALLY" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_tally \- The login counter (tallying) module +.SH "SYNOPSIS" +.HP \w'\fBpam_tally\&.so\fR\ 'u +\fBpam_tally\&.so\fR [file=\fI/path/to/counter\fR] [onerr=[\fIfail\fR|\fIsucceed\fR]] [magic_root] [even_deny_root_account] [deny=\fIn\fR] [lock_time=\fIn\fR] [unlock_time=\fIn\fR] [per_user] [no_lock_time] [no_reset] [audit] [silent] [no_log_info] +.HP \w'\fBpam_tally\fR\ 'u +\fBpam_tally\fR [\-\-file\ \fI/path/to/counter\fR] [\-\-user\ \fIusername\fR] [\-\-reset[=\fIn\fR]] [\-\-quiet] +.SH "DESCRIPTION" +.PP +This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail\&. +.PP +pam_tally has several limitations, which are solved with pam_tally2\&. For this reason pam_tally is deprecated and will be removed in a future release\&. +.PP +pam_tally comes in two parts: +\fBpam_tally\&.so\fR +and +\fBpam_tally\fR\&. The former is the PAM module and the latter, a stand\-alone program\&. +\fBpam_tally\fR +is an (optional) application which can be used to interrogate and manipulate the counter file\&. It can display user counts, set individual counts, or clear all counts\&. Setting artificially high counts may be useful for blocking users without changing their passwords\&. For example, one might find it useful to clear all counts every midnight from a cron job\&. The +\fBfaillog\fR(8) +command can be used instead of pam_tally to to maintain the counter file\&. +.PP +Normally, failed attempts to access +\fIroot\fR +will +\fBnot\fR +cause the root account to become blocked, to prevent denial\-of\-service: if your users aren\*(Aqt given shell accounts and root may only login via +\fBsu\fR +or at the machine console (not telnet/rsh, etc), this is safe\&. +.SH "OPTIONS" +.PP +GLOBAL OPTIONS +.RS 4 +This can be used for +\fIauth\fR +and +\fIaccount\fR +module types\&. +.PP +\fBonerr=[\fR\fB\fIfail\fR\fR\fB|\fR\fB\fIsucceed\fR\fR\fB]\fR +.RS 4 +If something weird happens (like unable to open the file), return with +\fBPAM_SUCCESS\fR +if +\fBonerr=\fR\fB\fIsucceed\fR\fR +is given, else with the corresponding PAM error code\&. +.RE +.PP +\fBfile=\fR\fB\fI/path/to/counter\fR\fR +.RS 4 +File where to keep counts\&. Default is +/var/log/faillog\&. +.RE +.PP +\fBaudit\fR +.RS 4 +Will log the user name into the system log if the user is not found\&. +.RE +.PP +\fBsilent\fR +.RS 4 +Don\*(Aqt print informative messages\&. The messages printed without the +\fIsilent\fR +option leak presence of accounts on the system because they are not printed for non\-existing accounts\&. +.RE +.PP +\fBno_log_info\fR +.RS 4 +Don\*(Aqt log informative messages via +\fBsyslog\fR(3)\&. +.RE +.RE +.PP +AUTH OPTIONS +.RS 4 +Authentication phase first checks if user should be denied access and if not it increments attempted login counter\&. Then on call to +\fBpam_setcred\fR(3) +it resets the attempts counter\&. +.PP +\fBdeny=\fR\fB\fIn\fR\fR +.RS 4 +Deny access if tally for this user exceeds +\fIn\fR\&. +.RE +.PP +\fBlock_time=\fR\fB\fIn\fR\fR +.RS 4 +Always deny for +\fIn\fR +seconds after failed attempt\&. +.RE +.PP +\fBunlock_time=\fR\fB\fIn\fR\fR +.RS 4 +Allow access after +\fIn\fR +seconds after failed attempt\&. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts\&. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator\&. +.RE +.PP +\fBmagic_root\fR +.RS 4 +If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted\&. +.RE +.PP +\fBno_lock_time\fR +.RS 4 +Do not use the \&.fail_locktime field in +/var/log/faillog +for this user\&. +.RE +.PP +\fBno_reset\fR +.RS 4 +Don\*(Aqt reset count on successful entry, only decrement\&. +.RE +.PP +\fBeven_deny_root_account\fR +.RS 4 +Root account can become unavailable\&. +.RE +.PP +\fBper_user\fR +.RS 4 +If +/var/log/faillog +contains a non\-zero \&.fail_max/\&.fail_locktime field for this user then use it instead of +\fBdeny=\fR\fB\fIn\fR\fR/ +\fBlock_time=\fR\fB\fIn\fR\fR +parameter\&. +.RE +.PP +\fBno_lock_time\fR +.RS 4 +Don\*(Aqt use \&.fail_locktime filed in +/var/log/faillog +for this user\&. +.RE +.RE +.PP +ACCOUNT OPTIONS +.RS 4 +Account phase resets attempts counter if the user is +\fBnot\fR +magic root\&. This phase can be used optionally for services which don\*(Aqt call +\fBpam_setcred\fR(3) +correctly or if the reset should be done regardless of the failure of the account phase of other modules\&. +.PP +\fBmagic_root\fR +.RS 4 +If the module is invoked by a user with uid=0 the counter is not incremented\&. The sysadmin should use this for user launched services, like +\fBsu\fR, otherwise this argument should be omitted\&. +.RE +.PP +\fBno_reset\fR +.RS 4 +Don\*(Aqt reset count on successful entry, only decrement\&. +.RE +.RE +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +module types are provided\&. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +A invalid option was given, the module was not able to retrieve the user name, no valid counter file was found, or too many failed logins\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Everything was successful\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known\&. +.RE +.SH "EXAMPLES" +.PP +Add the following line to +/etc/pam\&.d/login +to lock the account after too many failed logins\&. The number of allowed fails is specified by +/var/log/faillog +and needs to be set with pam_tally or +\fBfaillog\fR(8) +before\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth required pam_securetty\&.so +auth required pam_tally\&.so per_user +auth required pam_env\&.so +auth required pam_unix\&.so +auth required pam_nologin\&.so +account required pam_unix\&.so +password required pam_unix\&.so +session required pam_limits\&.so +session required pam_unix\&.so +session required pam_lastlog\&.so nowtmp +session optional pam_mail\&.so standard + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/var/log/faillog +.RS 4 +failure logging file +.RE +.SH "SEE ALSO" +.PP +\fBfaillog\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_tally was written by Tim Baverstock and Tomas Mraz\&. diff --git a/modules/pam_tally/pam_tally.8.xml b/modules/pam_tally/pam_tally.8.xml new file mode 100644 index 0000000..80ad060 --- /dev/null +++ b/modules/pam_tally/pam_tally.8.xml @@ -0,0 +1,459 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_tally"> + + <refmeta> + <refentrytitle>pam_tally</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_tally-name"> + <refname>pam_tally</refname> + <refpurpose>The login counter (tallying) module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_tally-cmdsynopsis1"> + <command>pam_tally.so</command> + <arg choice="opt"> + file=<replaceable>/path/to/counter</replaceable> + </arg> + <arg choice="opt"> + onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>] + </arg> + <arg choice="opt"> + magic_root + </arg> + <arg choice="opt"> + even_deny_root_account + </arg> + <arg choice="opt"> + deny=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + lock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + unlock_time=<replaceable>n</replaceable> + </arg> + <arg choice="opt"> + per_user + </arg> + <arg choice="opt"> + no_lock_time + </arg> + <arg choice="opt"> + no_reset + </arg> + <arg choice="opt"> + audit + </arg> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + no_log_info + </arg> + </cmdsynopsis> + <cmdsynopsis id="pam_tally-cmdsynopsis2"> + <command>pam_tally</command> + <arg choice="opt"> + --file <replaceable>/path/to/counter</replaceable> + </arg> + <arg choice="opt"> + --user <replaceable>username</replaceable> + </arg> + <arg choice="opt"> + --reset[=<replaceable>n</replaceable>] + </arg> + <arg choice="opt"> + --quiet + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_tally-description"> + + <title>DESCRIPTION</title> + + <para> + This module maintains a count of attempted accesses, can + reset count on success, can deny access if too many attempts + fail. + </para> + <para> + pam_tally has several limitations, which are solved with + pam_tally2. For this reason pam_tally is deprecated and + will be removed in a future release. + </para> + <para> + pam_tally comes in two parts: + <emphasis remap='B'>pam_tally.so</emphasis> and + <command>pam_tally</command>. The former is the PAM module and + the latter, a stand-alone program. <command>pam_tally</command> + is an (optional) application which can be used to interrogate and + manipulate the counter file. It can display user counts, set + individual counts, or clear all counts. Setting artificially high + counts may be useful for blocking users without changing their + passwords. For example, one might find it useful to clear all counts + every midnight from a cron job. The + <citerefentry> + <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> command can be used instead of pam_tally to to + maintain the counter file. + </para> + <para> + Normally, failed attempts to access <emphasis>root</emphasis> will + <emphasis remap='B'>not</emphasis> cause the root account to become + blocked, to prevent denial-of-service: if your users aren't given + shell accounts and root may only login via <command>su</command> or + at the machine console (not telnet/rsh, etc), this is safe. + </para> + </refsect1> + + <refsect1 id="pam_tally-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + GLOBAL OPTIONS + </term> + <listitem> + <para> + This can be used for <emphasis>auth</emphasis> and + <emphasis>account</emphasis> module types. + </para> + <variablelist> + <varlistentry> + <term> + <option>onerr=[<replaceable>fail</replaceable>|<replaceable>succeed</replaceable>]</option> + </term> + <listitem> + <para> + If something weird happens (like unable to open the file), + return with <errorcode>PAM_SUCCESS</errorcode> if + <option>onerr=<replaceable>succeed</replaceable></option> + is given, else with the corresponding PAM error code. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>file=<replaceable>/path/to/counter</replaceable></option> + </term> + <listitem> + <para> + File where to keep counts. Default is + <filename>/var/log/faillog</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>audit</option> + </term> + <listitem> + <para> + Will log the user name into the system log if the user is not found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages. The messages printed without the <emphasis>silent</emphasis> option leak presence of accounts on the system because they are not printed for non-existing accounts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_log_info</option> + </term> + <listitem> + <para> + Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + + <varlistentry> + <term> + AUTH OPTIONS + </term> + <listitem> + <para> + Authentication phase first checks if user should be denied + access and if not it increments attempted login counter. Then + on call to <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> it resets the attempts counter. + </para> + <variablelist> + <varlistentry> + <term> + <option>deny=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Deny access if tally for this user exceeds + <replaceable>n</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>lock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Always deny for <replaceable>n</replaceable> seconds + after failed attempt. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>unlock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Allow access after <replaceable>n</replaceable> seconds + after failed attempt. If this option is used the user will + be locked out for the specified amount of time after he + exceeded his maximum allowed attempts. Otherwise the + account is locked until the lock is removed by a manual + intervention of the system administrator. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>magic_root</option> + </term> + <listitem> + <para> + If the module is invoked by a user with uid=0 the + counter is not incremented. The sysadmin should use this + for user launched services, like <command>su</command>, + otherwise this argument should be omitted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_lock_time</option> + </term> + <listitem> + <para> + Do not use the .fail_locktime field in + <filename>/var/log/faillog</filename> for this user. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_reset</option> + </term> + <listitem> + <para> + Don't reset count on successful entry, only decrement. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>even_deny_root_account</option> + </term> + <listitem> + <para> + Root account can become unavailable. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>per_user</option> + </term> + <listitem> + <para> + If <filename>/var/log/faillog</filename> contains a non-zero + .fail_max/.fail_locktime field for this user then use it + instead of <option>deny=<replaceable>n</replaceable></option>/ + <option>lock_time=<replaceable>n</replaceable></option> parameter. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_lock_time</option> + </term> + <listitem> + <para> + Don't use .fail_locktime filed in + <filename>/var/log/faillog</filename> for this user. + </para> + </listitem> + </varlistentry> + + </variablelist> + </listitem> + </varlistentry> + + + <varlistentry> + <term> + ACCOUNT OPTIONS + </term> + <listitem> + <para> + Account phase resets attempts counter if the user is + <emphasis remap='B'>not</emphasis> magic root. + This phase can be used optionally for services which don't call + <citerefentry> + <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry> correctly or if the reset should be done regardless + of the failure of the account phase of other modules. + </para> + <variablelist> + <varlistentry> + <term> + <option>magic_root</option> + </term> + <listitem> + <para> + If the module is invoked by a user with uid=0 the + counter is not incremented. The sysadmin should use this + for user launched services, like <command>su</command>, + otherwise this argument should be omitted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_reset</option> + </term> + <listitem> + <para> + Don't reset count on successful entry, only decrement. + </para> + </listitem> + </varlistentry> + </variablelist> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_tally-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <option>auth</option> and <option>account</option> + module types are provided. + </para> + </refsect1> + + <refsect1 id='pam_tally-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + A invalid option was given, the module was not able + to retrieve the user name, no valid counter file + was found, or too many failed logins. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_tally-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + lock the account after too many failed logins. The number of + allowed fails is specified by <filename>/var/log/faillog</filename> + and needs to be set with pam_tally or <citerefentry> + <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> before. + </para> + <programlisting> +auth required pam_securetty.so +auth required pam_tally.so per_user +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + </programlisting> + </refsect1> + + <refsect1 id="pam_tally-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/log/faillog</filename></term> + <listitem> + <para>failure logging file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_tally-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>faillog</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_tally-author'> + <title>AUTHOR</title> + <para> + pam_tally was written by Tim Baverstock and Tomas Mraz. + </para> + </refsect1> + +</refentry> |