code simplification; report locked account earlier

This commit is contained in:
Patrick Schleizer 2019-08-16 10:50:56 -04:00
parent 5754671c46
commit 17cfcb63b6
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -1,6 +1,14 @@
#!/bin/bash
if [ ! -r /var/log/auth.log ]; then
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
true "INFO: Password not locked."
else
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
if [ "$PAM_USER" = "root" ]; then
echo "$0: ERROR: root account is locked by default. See:" >&2
echo "https://www.whonix.org/wiki/root" >&2
echo "" >&2
fi
exit 0
fi
@ -35,29 +43,16 @@ if [ "$failed_login_counter" = "0" ]; then
exit 0
fi
temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)"
last_line_of_user="$(echo "$temp" | grep "pam_tally2")"
last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")"
#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)"
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
## Example:
#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10
#auth requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
temp="$(echo "$last_line_of_user" | sed 's/.*tally //')"
temp="${temp/", deny"/""}"
## Example:
#1 100
arr=($temp)
tally="${arr[0]}"
deny="${arr[1]}"
if [[ "$tally" == *[!0-9]* ]]; then
echo "$0: ERROR: tally is not numeric." >&2
echo "$0: ERROR: Please report this bug." >&2
echo "" >&2
exit 0
fi
for word in $deny_line ; do
if echo "$word" | grep -q "deny=" ; then
deny="$(echo "$word" | cut -d "=" -f 2)"
break
fi
done
if [[ "$deny" == *[!0-9]* ]]; then
echo "$0: ERROR: deny is not numeric." >&2
@ -66,23 +61,10 @@ if [[ "$deny" == *[!0-9]* ]]; then
exit 0
fi
remaining_attempts="$(( $deny - $tally ))"
## Thanks to:
if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then
true "INFO: Password not locked."
else
echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2
if [ "$PAM_USER" = "root" ]; then
echo "$0: ERROR: root account is locked by default. See:" >&2
echo "https://www.whonix.org/wiki/root" >&2
echo "" >&2
fi
exit 0
fi
remaining_attempts="$(( $deny - $failed_login_counter ))"
if [ "$remaining_attempts" -le "0" ]; then
echo "$0: ERROR: Login blocked after $tally attempts." >&2
echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
echo "$0: To unlock, run the following command as superuser:" >&2
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
echo "" >&2
@ -96,7 +78,7 @@ if [ "$remaining_attempts" -le "0" ]; then
exit 0
fi
echo "$0: WARNING: $tally failed login attempts." >&2
echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
echo "$0: Login will be blocked after $deny attempts." >&2
echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
echo "" >&2