mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 10:59:22 -05:00
code simplification; report locked account earlier
This commit is contained in:
parent
5754671c46
commit
17cfcb63b6
@ -1,6 +1,14 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ ! -r /var/log/auth.log ]; then
|
||||
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
|
||||
true "INFO: Password not locked."
|
||||
else
|
||||
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
|
||||
if [ "$PAM_USER" = "root" ]; then
|
||||
echo "$0: ERROR: root account is locked by default. See:" >&2
|
||||
echo "https://www.whonix.org/wiki/root" >&2
|
||||
echo "" >&2
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
@ -35,29 +43,16 @@ if [ "$failed_login_counter" = "0" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)"
|
||||
last_line_of_user="$(echo "$temp" | grep "pam_tally2")"
|
||||
last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")"
|
||||
|
||||
#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)"
|
||||
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
|
||||
## Example:
|
||||
#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10
|
||||
#auth requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
|
||||
|
||||
temp="$(echo "$last_line_of_user" | sed 's/.*tally //')"
|
||||
temp="${temp/", deny"/""}"
|
||||
## Example:
|
||||
#1 100
|
||||
|
||||
arr=($temp)
|
||||
tally="${arr[0]}"
|
||||
deny="${arr[1]}"
|
||||
|
||||
if [[ "$tally" == *[!0-9]* ]]; then
|
||||
echo "$0: ERROR: tally is not numeric." >&2
|
||||
echo "$0: ERROR: Please report this bug." >&2
|
||||
echo "" >&2
|
||||
exit 0
|
||||
fi
|
||||
for word in $deny_line ; do
|
||||
if echo "$word" | grep -q "deny=" ; then
|
||||
deny="$(echo "$word" | cut -d "=" -f 2)"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [[ "$deny" == *[!0-9]* ]]; then
|
||||
echo "$0: ERROR: deny is not numeric." >&2
|
||||
@ -66,23 +61,10 @@ if [[ "$deny" == *[!0-9]* ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
remaining_attempts="$(( $deny - $tally ))"
|
||||
|
||||
## Thanks to:
|
||||
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
|
||||
true "INFO: Password not locked."
|
||||
else
|
||||
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
|
||||
if [ "$PAM_USER" = "root" ]; then
|
||||
echo "$0: ERROR: root account is locked by default. See:" >&2
|
||||
echo "https://www.whonix.org/wiki/root" >&2
|
||||
echo "" >&2
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
remaining_attempts="$(( $deny - $failed_login_counter ))"
|
||||
|
||||
if [ "$remaining_attempts" -le "0" ]; then
|
||||
echo "$0: ERROR: Login blocked after $tally attempts." >&2
|
||||
echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
|
||||
echo "$0: To unlock, run the following command as superuser:" >&2
|
||||
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
||||
echo "" >&2
|
||||
@ -96,7 +78,7 @@ if [ "$remaining_attempts" -le "0" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "$0: WARNING: $tally failed login attempts." >&2
|
||||
echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
|
||||
echo "$0: Login will be blocked after $deny attempts." >&2
|
||||
echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
|
||||
echo "" >&2
|
||||
|
Loading…
Reference in New Issue
Block a user