Goal: Re-enable logging and displaying failures on login when login is compiled with PAM and when FAILLOG_ENAB is set to yes. And create the faillog file if it does not exist on postinst (as on Woody). Depends: 008_login_more_LOG_UNKFAIL_ENAB Fixes: #192849 Note: It could be removed if pam_tally could report the number of failures preceding a successful login. --- a/src/login.c +++ b/src/login.c @@ -114,9 +114,9 @@ #endif ); -#ifndef USE_PAM static struct faillog faillog; +#ifndef USE_PAM static void bad_time_notify (void); static void check_nologin (bool login_to_root); #else @@ -787,6 +787,9 @@ SYSLOG ((LOG_NOTICE, "TOO MANY LOGIN TRIES (%u)%s FOR '%s'", failcount, fromhost, failent_user)); + if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { + failure (pwd->pw_uid, tty, &faillog); + } fprintf (stderr, _("Maximum number of tries exceeded (%u)\n"), failcount); @@ -804,6 +807,14 @@ pam_strerror (pamh, retcode))); failed = true; } + if ( (NULL != pwd) + && getdef_bool("FAILLOG_ENAB") + && ! failcheck (pwd->pw_uid, &faillog, failed)) { + SYSLOG((LOG_CRIT, + "exceeded failure limit for `%s' %s", + failent_user, fromhost)); + failed = 1; + } if (!failed) { break; @@ -827,6 +838,10 @@ (void) puts (""); (void) puts (_("Login incorrect")); + if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) { + failure (pwd->pw_uid, tty, &faillog); + } + if (getdef_str("FTMP_FILE") != NULL) { #ifdef USE_UTMPX struct utmpx *failent = @@ -1295,6 +1310,7 @@ */ #ifndef USE_PAM motd (); /* print the message of the day */ +#endif if ( getdef_bool ("FAILLOG_ENAB") && (0 != faillog.fail_cnt)) { failprint (&faillog); @@ -1307,6 +1323,7 @@ username, (int) faillog.fail_cnt)); } } +#ifndef USE_PAM if ( getdef_bool ("LASTLOG_ENAB") && pwd->pw_uid <= (uid_t) getdef_ulong ("LASTLOG_UID_MAX", 0xFFFFFFFFUL) && (ll.ll_time != 0)) { --- a/lib/getdef.c +++ b/lib/getdef.c @@ -78,6 +78,7 @@ {"ENV_SUPATH", NULL}, {"ERASECHAR", NULL}, {"FAIL_DELAY", NULL}, + {"FAILLOG_ENAB", NULL}, {"FAKE_SHELL", NULL}, {"FTMP_FILE", NULL}, {"GID_MAX", NULL},