Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-25 19:19:27 -05:00
Code Issues Packages Projects Releases Wiki Activity

port from pam_tally2 to pam_faillock

Browse Source 
since pam_tally2 was deprecated upstream
This commit is contained in:
Patrick Schleizer 2021-08-10 15:11:01 -04:00
parent 2aea74bd71
commit 2bf0e7471c
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
5 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -282,7 +282,7 @@ See:
## Brute force attack protection ## Brute force attack protection
User accounts are locked after 50 failed login attempts using `pam_tally2`. User accounts are locked after 50 failed login attempts using `pam_faillock`.
Informational output during Linux PAM: Informational output during Linux PAM:
@ -294,7 +294,7 @@ Informational output during Linux PAM:
See: See:
* `/usr/share/pam-configs/tally2-security-misc` * `/usr/share/pam-configs/tally2-security-misc`
* `/usr/libexec/security-misc/pam_tally2-info` * `/usr/libexec/security-misc/pam-info`
* `/usr/libexec/security-misc/pam-abort-on-locked-password` * `/usr/libexec/security-misc/pam-abort-on-locked-password`
## Access rights restrictions ## Access rights restrictions

2
usr/libexec/security-misc/pam-abort-on-locked-password
View File

@ -3,7 +3,7 @@
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org> ## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## This is only a usability feature to avoid needlessly bumping pam_tally2 ## This is only a usability feature to avoid needlessly bumping pam_faillock
## counter. This is not a security feature. ## counter. This is not a security feature.
## https://forums.whonix.org/t/restrict-root-access/7658/1 ## https://forums.whonix.org/t/restrict-root-access/7658/1

20
usr/libexec/security-misc/pam-info
View File

@ -43,11 +43,11 @@ fi
if [ ! "$(id -u)" = "0" ]; then if [ ! "$(id -u)" = "0" ]; then
## as user "user" ## as user "user"
## /sbin/pam_tally2 -u user ## /sbin/pam_faillock -u user
## pam_tally2: Error opening /var/log/tallylog for update: Permission denied ## pam_faillock: Error opening /var/log/tallylog for update: Permission denied
## /sbin/pam_tally2: Authentication error ## /sbin/pam_faillock: Authentication error
## ##
## xscreensaver runs as user "user", therefore pam_tally2 cannot function. ## xscreensaver runs as user "user", therefore pam_faillock cannot function.
## xscreensaver has its own failed login counter. ## xscreensaver has its own failed login counter.
## ##
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
@ -74,9 +74,9 @@ fi
# fi # fi
## Using || true to not break read-only disk boot without ro-mode-init or grub-live. ## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true
if [ "$pam_tally2_output" = "" ]; then if [ "$pam_faillock_output" = "" ]; then
true "$0: no failed login" true "$0: no failed login"
exit 0 exit 0
fi fi
@ -85,11 +85,11 @@ fi
#Login Failures Latest failure From #Login Failures Latest failure From
#user 0 #user 0
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)"
## Example: ## Example:
#user 0 #user 0
arr=($pam_tally2_output_last_line) arr=($pam_faillock_output_last_line)
user_name="${arr[0]}" user_name="${arr[0]}"
failed_login_counter="${arr[1]}" failed_login_counter="${arr[1]}"
@ -107,7 +107,7 @@ fi
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
## Example: ## Example:
#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug #auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
for word in $deny_line ; do for word in $deny_line ; do
if echo "$word" | grep -q "deny=" ; then if echo "$word" | grep -q "deny=" ; then
@ -130,7 +130,7 @@ if [ "$remaining_attempts" -le "0" ]; then
echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: To unlock, run the following command as superuser:" >&2
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
echo "" >&2 echo "" >&2
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 echo "pam_faillock --quiet -r --user $PAM_USER" >&2
echo "" >&2 echo "" >&2
echo "$0: However, most likely unlock procedure is required." >&2 echo "$0: However, most likely unlock procedure is required." >&2
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2

8
usr/libexec/security-misc/pam_faillock_not_if_x
View File

@ -20,7 +20,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html ## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
## - Failed dovecot logins should not result in account getting locked. ## - Failed dovecot logins should not result in account getting locked.
## - Failed SSH public key authentication attempts do not increase pam_tally2 ## - Failed SSH public key authentication attempts do not increase pam_faillock
## counter for some reason. ## counter for some reason.
## This list can later be extended as needed. ## This list can later be extended as needed.
pam_service_exclusion_list="dovecot" pam_service_exclusion_list="dovecot"
@ -28,15 +28,15 @@ pam_service_exclusion_list="dovecot"
for pam_service_exclusion_item in $pam_service_exclusion_list ; do for pam_service_exclusion_item in $pam_service_exclusion_list ; do
if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
## exit success so [success=1 default=ignore] will result in skipping the ## exit success so [success=1 default=ignore] will result in skipping the
## next PAM module (the pam_tally2 module). ## next PAM module (the pam_faillock module).
exit 0 exit 0
fi fi
done done
## exit failure so [success=1 default=ignore] will result in running the ## exit failure so [success=1 default=ignore] will result in running the
## next PAM module (the pam_tally2 module). ## next PAM module (the pam_faillock module).
## ##
## Causes confusing error message: ## Causes confusing error message:
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1 ## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1
## https://github.com/linux-pam/linux-pam/issues/329 ## https://github.com/linux-pam/linux-pam/issues/329
exit 1 exit 1

8
usr/share/pam-configs/faillock-security-misc
View File

@ -3,9 +3,9 @@ Default: yes
Priority: 290 Priority: 290
Auth-Type: Primary Auth-Type: Primary
Auth: Auth:
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x
requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
Account-Type: Primary Account-Type: Primary
Account: Account:
requisite pam_tally2.so debug requisite pam_faillock.so debug