1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: Let pam_unix handle login failure delays
Fixes: #87648
Status wrt upstream: Forwarded but not applied yet
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
Gbp-Topic: debian
---
lib/getdef.c | 1 -
src/login.c | 19 +++++--------------
2 files changed, 5 insertions(+), 15 deletions(-)
diff --git a/lib/getdef.c b/lib/getdef.c
index 30f54ba..21307bb 100644
--- a/lib/getdef.c
+++ b/lib/getdef.c
@@ -84,7 +84,6 @@ static struct itemdef def_table[] = {
{"ENV_PATH", NULL},
{"ENV_SUPATH", NULL},
{"ERASECHAR", NULL},
- {"FAIL_DELAY", NULL},
{"FAKE_SHELL", NULL},
{"GID_MAX", NULL},
{"GID_MIN", NULL},
diff --git a/src/login.c b/src/login.c
index 9fed7b3..a5512d1 100644
--- a/src/login.c
+++ b/src/login.c
@@ -490,7 +490,6 @@ int main (int argc, char **argv)
const char *tmptty;
const char *cp;
const char *tmp;
- unsigned int delay;
unsigned int retries;
unsigned int timeout;
struct passwd *pwd = NULL;
@@ -500,6 +499,7 @@ int main (int argc, char **argv)
char *pam_user = NULL;
pid_t child;
#else
+ unsigned int delay;
bool is_console;
struct spwd *spwd = NULL;
# if defined(ENABLE_LASTLOG)
@@ -669,7 +669,6 @@ int main (int argc, char **argv)
}
environ = newenvp; /* make new environment active */
- delay = getdef_unum ("FAIL_DELAY", 1);
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
@@ -685,8 +684,7 @@ int main (int argc, char **argv)
/*
* hostname & tty are either set to NULL or their correct values,
- * depending on how much we know. We also set PAM's fail delay to
- * ours.
+ * depending on how much we know.
*
* PAM_RHOST and PAM_TTY are used for authentication, only use
* information coming from login or from the caller (e.g. no utmp)
@@ -695,10 +693,6 @@ int main (int argc, char **argv)
PAM_FAIL_CHECK;
retcode = pam_set_item (pamh, PAM_TTY, tty);
PAM_FAIL_CHECK;
-#ifdef HAS_PAM_FAIL_DELAY
- retcode = pam_fail_delay (pamh, 1000000 * delay);
- PAM_FAIL_CHECK;
-#endif
/* if fflg, then the user has already been authenticated */
if (!fflg) {
char hostn[256];
@@ -736,12 +730,6 @@ int main (int argc, char **argv)
bool failed = false;
failcount++;
-#ifdef HAS_PAM_FAIL_DELAY
- if (delay > 0) {
- retcode = pam_fail_delay(pamh, 1000000*delay);
- PAM_FAIL_CHECK;
- }
-#endif
retcode = pam_authenticate (pamh, 0);
@@ -1032,14 +1020,17 @@ int main (int argc, char **argv)
free (username);
username = NULL;
+#ifndef USE_PAM
/*
* Wait a while (a la SVR4 /usr/bin/login) before attempting
* to login the user again. If the earlier alarm occurs
* before the sleep() below completes, login will exit.
*/
+ delay = getdef_unum ("FAIL_DELAY", 1);
if (delay > 0) {
(void) sleep (delay);
}
+#endif
(void) puts (_("Login incorrect"));
|