From de848d9e9146434817c65d74d1d0313e9d729462 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:01:37 +0200 Subject: Adding upstream version 1.4.0. Signed-off-by: Daniel Baumann --- modules/pam_tally2/pam_tally2.8.xml | 450 ++++++++++++++++++++++++++++++++++++ 1 file changed, 450 insertions(+) create mode 100644 modules/pam_tally2/pam_tally2.8.xml (limited to 'modules/pam_tally2/pam_tally2.8.xml') diff --git a/modules/pam_tally2/pam_tally2.8.xml b/modules/pam_tally2/pam_tally2.8.xml new file mode 100644 index 0000000..d058cf9 --- /dev/null +++ b/modules/pam_tally2/pam_tally2.8.xml @@ -0,0 +1,450 @@ + + + + + + + pam_tally2 + 8 + Linux-PAM Manual + + + + pam_tally2 + The login counter (tallying) module + + + + + pam_tally2.so + + file=/path/to/counter + + + onerr=[fail|succeed] + + + magic_root + + + even_deny_root + + + deny=n + + + lock_time=n + + + unlock_time=n + + + root_unlock_time=n + + + serialize + + + audit + + + silent + + + no_log_info + + + debug + + + + pam_tally2 + + --file /path/to/counter + + + --user username + + + --reset[=n] + + + --quiet + + + + + + + DESCRIPTION + + + This module maintains a count of attempted accesses, can + reset count on success, can deny access if too many attempts fail. + + + pam_tally2 comes in two parts: + pam_tally2.so and + pam_tally2. The former is the PAM module and + the latter, a stand-alone program. pam_tally2 + is an (optional) application which can be used to interrogate and + manipulate the counter file. It can display user counts, set + individual counts, or clear all counts. Setting artificially high + counts may be useful for blocking users without changing their + passwords. For example, one might find it useful to clear all counts + every midnight from a cron job. + + + Normally, failed attempts to access root will + not cause the root account to become + blocked, to prevent denial-of-service: if your users aren't given + shell accounts and root may only login via su or + at the machine console (not telnet/rsh, etc), this is safe. + + + + + + OPTIONS + + + + GLOBAL OPTIONS + + + + This can be used for auth and + account module types. + + + + + + + + + If something weird happens (like unable to open the file), + return with PAM_SUCCESS if + + is given, else with the corresponding PAM error code. + + + + + + + + + + File where to keep counts. Default is + /var/log/tallylog. + + + + + + + + + + Will log the user name into the system log if the user is not found. + + + + + + + + + + Don't print informative messages. The messages printed without the silent option leak presence of accounts on the system because they are not printed for non-existing accounts. + + + + + + + + + + Don't log informative messages via syslog3. + + + + + + + + + + Always log tally count when it is incremented as a debug level message to the system log. + + + + + + + + + + AUTH OPTIONS + + + + Authentication phase first increments attempted login counter and + checks if user should be denied access. If the user is authenticated + and the login process continues on call to + pam_setcred3 + it resets the attempts counter. + + + + + + + + + Deny access if tally for this user exceeds + n. + + + + + + + + + + Always deny for n seconds + after failed attempt. + + + + + + + + + + Allow access after n seconds + after failed attempt. If this option is used the user will + be locked out for the specified amount of time after he + exceeded his maximum allowed attempts. Otherwise the + account is locked until the lock is removed by a manual + intervention of the system administrator. + + + + + + + + + + If the module is invoked by a user with uid=0 the + counter is not incremented. The sysadmin should use this + for user launched services, like su, + otherwise this argument should be omitted. + + + + + + + + + + Root account can become unavailable. + + + + + + + + + + This option implies option. + Allow access after n seconds + to root account after failed attempt. If this option is used + the root user will be locked out for the specified amount of + time after he exceeded his maximum allowed attempts. + + + + + + + + + + Serialize access to the tally file using locks. This option might + be used only for non-multithreaded services because it depends on + the fcntl locking of the tally file. Also it is a good idea to use + this option only in such configurations where the time between auth + phase and account or setcred phase is not dependent on the + authenticating client. Otherwise the authenticating client will be + able to prevent simultaneous authentications by the same user by + simply artificially prolonging the time the file record lock is held. + + + + + + + + + + + ACCOUNT OPTIONS + + + + Account phase resets attempts counter if the user is + not magic root. + This phase can be used optionally for services which don't call + + pam_setcred3 + correctly or if the reset should be done regardless + of the failure of the account phase of other modules. + + + + + + + + + If the module is invoked by a user with uid=0 the + counter is not changed. The sysadmin should use this + for user launched services, like su, + otherwise this argument should be omitted. + + + + + + + + + + + MODULE TYPES PROVIDED + + The and + module types are provided. + + + + + RETURN VALUES + + + PAM_AUTH_ERR + + + A invalid option was given, the module was not able + to retrieve the user name, no valid counter file + was found, or too many failed logins. + + + + + PAM_SUCCESS + + + Everything was successful. + + + + + PAM_USER_UNKNOWN + + + User not known. + + + + + + + + NOTES + + pam_tally2 is not compatible with the old pam_tally faillog file format. + This is caused by requirement of compatibility of the tallylog file + format between 32bit and 64bit architectures on multiarch systems. + + + There is no setuid wrapper for access to the data file such as when the + pam_tally2.so module is called from + xscreensaver. As this would make it impossible to share PAM configuration + with such services the following workaround is used: If the data file + cannot be opened because of insufficient permissions + (EACCES) the module returns + PAM_IGNORE. + + + + + EXAMPLES + + Add the following line to /etc/pam.d/login to + lock the account after 4 failed logins. Root account will be locked + as well. The accounts will be automatically unlocked after 20 minutes. + The module does not have to be called in the account phase because the + login calls + pam_setcred3 + correctly. + + +auth required pam_securetty.so +auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 +auth required pam_env.so +auth required pam_unix.so +auth required pam_nologin.so +account required pam_unix.so +password required pam_unix.so +session required pam_limits.so +session required pam_unix.so +session required pam_lastlog.so nowtmp +session optional pam_mail.so standard + + + + + FILES + + + /var/log/tallylog + + failure count logging file + + + + + + + SEE ALSO + + + pam.conf5 + , + + pam.d5 + , + + pam8 + + + + + + AUTHOR + + pam_tally2 was written by Tim Baverstock and Tomas Mraz. + + + + -- cgit v1.2.3