diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/pam_faillock/faillock.c | 176 | ||||
| -rw-r--r-- | modules/pam_faillock/faillock.conf | 62 | ||||
| -rw-r--r-- | modules/pam_faillock/faillock.conf.5 | 171 | ||||
| -rw-r--r-- | modules/pam_faillock/faillock.conf.5.xml | 253 |
4 files changed, 662 insertions, 0 deletions
diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c new file mode 100644 index 0000000..091f253 --- /dev/null +++ b/modules/pam_faillock/faillock.c @@ -0,0 +1,176 @@ +/* + * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com> + * Copyright (c) 2010, 2016, 2017 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <errno.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/file.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <security/pam_modutil.h> + +#include "faillock.h" + +#define ignore_return(x) if (1==((int)x)) {;} + +int +open_tally (const char *dir, const char *user, uid_t uid, int create) +{ + char *path; + int flags = O_RDWR; + int fd; + + if (dir == NULL || strstr(user, "../") != NULL) + /* just a defensive programming as the user must be a + * valid user on the system anyway + */ + return -1; + path = malloc(strlen(dir) + strlen(user) + 2); + if (path == NULL) + return -1; + + strcpy(path, dir); + if (*dir && dir[strlen(dir) - 1] != '/') { + strcat(path, "/"); + } + strcat(path, user); + + if (create) { + flags |= O_CREAT; + if (access(dir, F_OK) != 0) { + mkdir(dir, 0755); + } + } + + fd = open(path, flags, 0660); + + free(path); + + if (fd != -1) { + struct stat st; + + while (flock(fd, LOCK_EX) == -1 && errno == EINTR); + if (fstat(fd, &st) == 0) { + if (st.st_uid != uid) { + ignore_return(fchown(fd, uid, -1)); + } + + /* + * If umask is set to 022, as will probably in most systems, then the + * group will not be able to write to the file. So, change the file + * permissions just in case. + * Note: owners of this file are user:root, so if the permissions are + * not changed the root process writing to this file will require + * CAP_DAC_OVERRIDE. + */ + if (!(st.st_mode & S_IWGRP)) { + ignore_return(fchmod(fd, 0660)); + } + } + } + + return fd; +} + +#define CHUNK_SIZE (64 * sizeof(struct tally)) +#define MAX_RECORDS 1024 + +int +read_tally(int fd, struct tally_data *tallies) +{ + void *data = NULL, *newdata; + unsigned int count = 0; + ssize_t chunk = 0; + + do { + newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE); + if (newdata == NULL) { + free(data); + return -1; + } + + data = newdata; + + chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE); + if (chunk < 0) { + free(data); + return -1; + } + + count += chunk/sizeof(struct tally); + + if (count >= MAX_RECORDS) + break; + } + while (chunk == CHUNK_SIZE); + + tallies->records = data; + tallies->count = count; + + return 0; +} + +int +update_tally(int fd, struct tally_data *tallies) +{ + void *data = tallies->records; + unsigned int count = tallies->count; + ssize_t chunk; + + if (tallies->count > MAX_RECORDS) { + data = tallies->records + (count - MAX_RECORDS); + count = MAX_RECORDS; + } + + if (lseek(fd, 0, SEEK_SET) == (off_t)-1) { + return -1; + } + + chunk = pam_modutil_write(fd, data, count * sizeof(struct tally)); + + if (chunk != (ssize_t)(count * sizeof(struct tally))) { + return -1; + } + + if (ftruncate(fd, count * sizeof(struct tally)) == -1) + return -1; + + return 0; +} diff --git a/modules/pam_faillock/faillock.conf b/modules/pam_faillock/faillock.conf new file mode 100644 index 0000000..16d93df --- /dev/null +++ b/modules/pam_faillock/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +# deny = 3 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is <replaceable>n</replaceable> seconds. +# The default is 900 (15 minutes). +# fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +# unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = <admin_group_name> diff --git a/modules/pam_faillock/faillock.conf.5 b/modules/pam_faillock/faillock.conf.5 new file mode 100644 index 0000000..7b4ddb5 --- /dev/null +++ b/modules/pam_faillock/faillock.conf.5 @@ -0,0 +1,171 @@ +'\" t +.\" Title: faillock.conf +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "FAILLOCK\&.CONF" "5" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +faillock.conf \- pam_faillock configuration file +.SH "DESCRIPTION" +.PP +\fBfaillock\&.conf\fR +provides a way to configure the default settings for locking the user after multiple failed authentication attempts\&. This file is read by the +\fIpam_faillock\fR +module and is the preferred method over configuring +\fIpam_faillock\fR +directly\&. +.PP +The file has a very simple +\fIname = value\fR +format with possible comments starting with +\fI#\fR +character\&. The whitespace at the beginning of line, end of line, and around the +\fI=\fR +sign is ignored\&. +.SH "OPTIONS" +.PP +\fBdir=\fR\fB\fI/path/to/tally\-directory\fR\fR +.RS 4 +The directory where the user files with the failure records are kept\&. The default is +/var/run/faillock\&. +.RE +.PP +\fBaudit\fR +.RS 4 +Will log the user name into the system log if the user is not found\&. +.RE +.PP +\fBsilent\fR +.RS 4 +Don\*(Aqt print informative messages to the user\&. Please note that when this option is not used there will be difference in the authentication behavior for users which exist on the system and non\-existing users\&. +.RE +.PP +\fBno_log_info\fR +.RS 4 +Don\*(Aqt log informative messages via +\fBsyslog\fR(3)\&. +.RE +.PP +\fBlocal_users_only\fR +.RS 4 +Only track failed user authentications attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc\&.) users\&. The +\fBfaillock\fR(8) +command will also no longer track user failed authentication attempts\&. Enabling this option will prevent a double\-lockout scenario where a user is locked out locally and in the centralized mechanism\&. +.RE +.PP +\fBnodelay\fR +.RS 4 +Don\*(Aqt enforce a delay after authentication failures\&. +.RE +.PP +\fBdeny=\fR\fB\fIn\fR\fR +.RS 4 +Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds +\fIn\fR\&. The default is 3\&. +.RE +.PP +\fBfail_interval=\fR\fB\fIn\fR\fR +.RS 4 +The length of the interval during which the consecutive authentication failures must happen for the user account lock out is +\fIn\fR +seconds\&. The default is 900 (15 minutes)\&. +.RE +.PP +\fBunlock_time=\fR\fB\fIn\fR\fR +.RS 4 +The access will be re\-enabled after +\fIn\fR +seconds after the lock out\&. The value 0 has the same meaning as value +\fInever\fR +\- the access will not be re\-enabled without resetting the faillock entries by the +\fBfaillock\fR(8) +command\&. The default is 600 (10 minutes)\&. +.sp +Note that the default directory that +\fIpam_faillock\fR +uses is usually cleared on system boot so the access will be also re\-enabled after system reboot\&. If that is undesirable a different tally directory must be set with the +\fBdir\fR +option\&. +.sp +Also note that it is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers\&. +.RE +.PP +\fBeven_deny_root\fR +.RS 4 +Root account can become locked as well as regular accounts\&. +.RE +.PP +\fBroot_unlock_time=\fR\fB\fIn\fR\fR +.RS 4 +This option implies +\fBeven_deny_root\fR +option\&. Allow access after +\fIn\fR +seconds to root account after the account is locked\&. In case the option is not specified the value is the same as of the +\fBunlock_time\fR +option\&. +.RE +.PP +\fBadmin_group=\fR\fB\fIname\fR\fR +.RS 4 +If a group name is specified with this option, members of the group will be handled by this module the same as the root account (the options +\fBeven_deny_root\fR +and +\fBroot_unlock_time\fR +will apply to them\&. By default the option is not set\&. +.RE +.SH "EXAMPLES" +.PP +/etc/security/faillock\&.conf file example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +deny=4 +unlock_time=1200 +silent + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/etc/security/faillock\&.conf +.RS 4 +the config file for custom options +.RE +.SH "SEE ALSO" +.PP +\fBfaillock\fR(8), +\fBpam_faillock\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_faillock was written by Tomas Mraz\&. The support for faillock\&.conf was written by Brian Ward\&. diff --git a/modules/pam_faillock/faillock.conf.5.xml b/modules/pam_faillock/faillock.conf.5.xml new file mode 100644 index 0000000..04a8410 --- /dev/null +++ b/modules/pam_faillock/faillock.conf.5.xml @@ -0,0 +1,253 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="faillock.conf"> + + <refmeta> + <refentrytitle>faillock.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="faillock.conf-name"> + <refname>faillock.conf</refname> + <refpurpose>pam_faillock configuration file</refpurpose> + </refnamediv> + + <refsect1 id="faillock.conf-description"> + + <title>DESCRIPTION</title> + <para> + <emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the + default settings for locking the user after multiple failed authentication attempts. + This file is read by the <emphasis>pam_faillock</emphasis> module and is the + preferred method over configuring <emphasis>pam_faillock</emphasis> directly. + </para> + <para> + The file has a very simple <emphasis>name = value</emphasis> format with possible comments + starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end + of line, and around the <emphasis>=</emphasis> sign is ignored. + </para> + </refsect1> + + <refsect1 id="faillock.conf-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>dir=<replaceable>/path/to/tally-directory</replaceable></option> + </term> + <listitem> + <para> + The directory where the user files with the failure records are kept. The + default is <filename>/var/run/faillock</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>audit</option> + </term> + <listitem> + <para> + Will log the user name into the system log if the user is not found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't print informative messages to the user. Please note that when + this option is not used there will be difference in the authentication + behavior for users which exist on the system and non-existing users. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>no_log_info</option> + </term> + <listitem> + <para> + Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>local_users_only</option> + </term> + <listitem> + <para> + Only track failed user authentications attempts for local users + in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. + The <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> + command will also no longer track user failed + authentication attempts. Enabling this option will prevent a + double-lockout scenario where a user is locked out locally and + in the centralized mechanism. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nodelay</option> + </term> + <listitem> + <para> + Don't enforce a delay after authentication failures. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>deny=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + Deny access if the number of consecutive authentication failures + for this user during the recent interval exceeds + <replaceable>n</replaceable>. The default is 3. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>fail_interval=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + The length of the interval during which the consecutive + authentication failures must happen for the user account + lock out is <replaceable>n</replaceable> seconds. + The default is 900 (15 minutes). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>unlock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + The access will be re-enabled after + <replaceable>n</replaceable> seconds after the lock out. + The value 0 has the same meaning as value + <emphasis>never</emphasis> - the access + will not be re-enabled without resetting the faillock + entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command. + The default is 600 (10 minutes). + </para> + <para> + Note that the default directory that <emphasis>pam_faillock</emphasis> + uses is usually cleared on system boot so the access will be also re-enabled + after system reboot. If that is undesirable a different tally directory + must be set with the <option>dir</option> option. + </para> + <para> + Also note that it is usually undesirable to permanently lock + out users as they can become easily a target of denial of service + attack unless the usernames are random and kept secret to potential + attackers. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>even_deny_root</option> + </term> + <listitem> + <para> + Root account can become locked as well as regular accounts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>root_unlock_time=<replaceable>n</replaceable></option> + </term> + <listitem> + <para> + This option implies <option>even_deny_root</option> option. + Allow access after <replaceable>n</replaceable> seconds + to root account after the account is locked. In case the + option is not specified the value is the same as of the + <option>unlock_time</option> option. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>admin_group=<replaceable>name</replaceable></option> + </term> + <listitem> + <para> + If a group name is specified with this option, members + of the group will be handled by this module the same as + the root account (the options <option>even_deny_root</option> + and <option>root_unlock_time</option> will apply to them. + By default the option is not set. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='faillock.conf-examples'> + <title>EXAMPLES</title> + <para> + /etc/security/faillock.conf file example: + </para> + <programlisting> +deny=4 +unlock_time=1200 +silent + </programlisting> + </refsect1> + + <refsect1 id="faillock.conf-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/faillock.conf</filename></term> + <listitem> + <para>the config file for custom options</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='faillock.conf-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='faillock.conf-author'> + <title>AUTHOR</title> + <para> + pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward. + </para> + </refsect1> + +</refentry> |