From 17cfcb63b6358f51a65df9623bc23ddf869b06cc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 16 Aug 2019 10:50:56 -0400 Subject: [PATCH] code simplification; report locked account earlier --- usr/lib/security-misc/pam_tally2-info | 58 +++++++++------------------ 1 file changed, 20 insertions(+), 38 deletions(-) diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info index ca23a76..dd63119 100755 --- a/usr/lib/security-misc/pam_tally2-info +++ b/usr/lib/security-misc/pam_tally2-info @@ -1,6 +1,14 @@ #!/bin/bash -if [ ! -r /var/log/auth.log ]; then +if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then + true "INFO: Password not locked." +else + echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 + if [ "$PAM_USER" = "root" ]; then + echo "$0: ERROR: root account is locked by default. See:" >&2 + echo "https://www.whonix.org/wiki/root" >&2 + echo "" >&2 + fi exit 0 fi @@ -35,29 +43,16 @@ if [ "$failed_login_counter" = "0" ]; then exit 0 fi -temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)" -last_line_of_user="$(echo "$temp" | grep "pam_tally2")" -last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")" - -#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)" +deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" ## Example: -#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10 +#auth requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug -temp="$(echo "$last_line_of_user" | sed 's/.*tally //')" -temp="${temp/", deny"/""}" -## Example: -#1 100 - -arr=($temp) -tally="${arr[0]}" -deny="${arr[1]}" - -if [[ "$tally" == *[!0-9]* ]]; then - echo "$0: ERROR: tally is not numeric." >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 - exit 0 -fi +for word in $deny_line ; do + if echo "$word" | grep -q "deny=" ; then + deny="$(echo "$word" | cut -d "=" -f 2)" + break + fi +done if [[ "$deny" == *[!0-9]* ]]; then echo "$0: ERROR: deny is not numeric." >&2 @@ -66,23 +61,10 @@ if [[ "$deny" == *[!0-9]* ]]; then exit 0 fi -remaining_attempts="$(( $deny - $tally ))" - -## Thanks to: -if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then - true "INFO: Password not locked." -else - echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 - if [ "$PAM_USER" = "root" ]; then - echo "$0: ERROR: root account is locked by default. See:" >&2 - echo "https://www.whonix.org/wiki/root" >&2 - echo "" >&2 - fi - exit 0 -fi +remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - echo "$0: ERROR: Login blocked after $tally attempts." >&2 + echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2 echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 @@ -96,7 +78,7 @@ if [ "$remaining_attempts" -le "0" ]; then exit 0 fi -echo "$0: WARNING: $tally failed login attempts." >&2 +echo "$0: WARNING: $failed_login_counter failed login attempts." >&2 echo "$0: Login will be blocked after $deny attempts." >&2 echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 echo "" >&2