From 2bf0e7471cbd3b813ce385d994e43e48636f7a0b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Aug 2021 15:11:01 -0400 Subject: [PATCH] port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream --- README.md | 4 ++-- .../pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 20 +++++++++---------- .../security-misc/pam_faillock_not_if_x | 8 ++++---- usr/share/pam-configs/faillock-security-misc | 8 ++++---- 5 files changed, 21 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index e716c44..d5c08f8 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,7 @@ See: ## Brute force attack protection -User accounts are locked after 50 failed login attempts using `pam_tally2`. +User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: @@ -294,7 +294,7 @@ Informational output during Linux PAM: See: * `/usr/share/pam-configs/tally2-security-misc` -* `/usr/libexec/security-misc/pam_tally2-info` +* `/usr/libexec/security-misc/pam-info` * `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 9f08e77..d8f1888 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -3,7 +3,7 @@ ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This is only a usability feature to avoid needlessly bumping pam_tally2 +## This is only a usability feature to avoid needlessly bumping pam_faillock ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 75f65ad..2bb7461 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -43,11 +43,11 @@ fi if [ ! "$(id -u)" = "0" ]; then ## as user "user" - ## /sbin/pam_tally2 -u user - ## pam_tally2: Error opening /var/log/tallylog for update: Permission denied - ## /sbin/pam_tally2: Authentication error + ## /sbin/pam_faillock -u user + ## pam_faillock: Error opening /var/log/tallylog for update: Permission denied + ## /sbin/pam_faillock: Authentication error ## - ## xscreensaver runs as user "user", therefore pam_tally2 cannot function. + ## xscreensaver runs as user "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts @@ -74,9 +74,9 @@ fi # fi ## Using || true to not break read-only disk boot without ro-mode-init or grub-live. -pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true +pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true -if [ "$pam_tally2_output" = "" ]; then +if [ "$pam_faillock_output" = "" ]; then true "$0: no failed login" exit 0 fi @@ -85,11 +85,11 @@ fi #Login Failures Latest failure From #user 0 -pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" +pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)" ## Example: #user 0 -arr=($pam_tally2_output_last_line) +arr=($pam_faillock_output_last_line) user_name="${arr[0]}" failed_login_counter="${arr[1]}" @@ -107,7 +107,7 @@ fi deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" ## Example: -#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug +#auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug for word in $deny_line ; do if echo "$word" | grep -q "deny=" ; then @@ -130,7 +130,7 @@ if [ "$remaining_attempts" -le "0" ]; then echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 - echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 + echo "pam_faillock --quiet -r --user $PAM_USER" >&2 echo "" >&2 echo "$0: However, most likely unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 8534f5a..4f18f03 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -20,7 +20,7 @@ true "PAM_SERVICE: $PAM_SERVICE" ## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html ## - Failed dovecot logins should not result in account getting locked. -## - Failed SSH public key authentication attempts do not increase pam_tally2 +## - Failed SSH public key authentication attempts do not increase pam_faillock ## counter for some reason. ## This list can later be extended as needed. pam_service_exclusion_list="dovecot" @@ -28,15 +28,15 @@ pam_service_exclusion_list="dovecot" for pam_service_exclusion_item in $pam_service_exclusion_list ; do if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then ## exit success so [success=1 default=ignore] will result in skipping the - ## next PAM module (the pam_tally2 module). + ## next PAM module (the pam_faillock module). exit 0 fi done ## exit failure so [success=1 default=ignore] will result in running the -## next PAM module (the pam_tally2 module). +## next PAM module (the pam_faillock module). ## ## Causes confusing error message: -## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1 +## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1 ## https://github.com/linux-pam/linux-pam/issues/329 exit 1 diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-security-misc index 118db41..0f88f53 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-security-misc @@ -3,9 +3,9 @@ Default: yes Priority: 290 Auth-Type: Primary Auth: - optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x - requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug + optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug Account-Type: Primary Account: - requisite pam_tally2.so debug + requisite pam_faillock.so debug