mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 07:49:27 -05:00
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
This commit is contained in:
parent
2aea74bd71
commit
2bf0e7471c
@ -282,7 +282,7 @@ See:
|
|||||||
|
|
||||||
## Brute force attack protection
|
## Brute force attack protection
|
||||||
|
|
||||||
User accounts are locked after 50 failed login attempts using `pam_tally2`.
|
User accounts are locked after 50 failed login attempts using `pam_faillock`.
|
||||||
|
|
||||||
Informational output during Linux PAM:
|
Informational output during Linux PAM:
|
||||||
|
|
||||||
@ -294,7 +294,7 @@ Informational output during Linux PAM:
|
|||||||
See:
|
See:
|
||||||
|
|
||||||
* `/usr/share/pam-configs/tally2-security-misc`
|
* `/usr/share/pam-configs/tally2-security-misc`
|
||||||
* `/usr/libexec/security-misc/pam_tally2-info`
|
* `/usr/libexec/security-misc/pam-info`
|
||||||
* `/usr/libexec/security-misc/pam-abort-on-locked-password`
|
* `/usr/libexec/security-misc/pam-abort-on-locked-password`
|
||||||
|
|
||||||
## Access rights restrictions
|
## Access rights restrictions
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||||
## See the file COPYING for copying conditions.
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
## This is only a usability feature to avoid needlessly bumping pam_tally2
|
## This is only a usability feature to avoid needlessly bumping pam_faillock
|
||||||
## counter. This is not a security feature.
|
## counter. This is not a security feature.
|
||||||
## https://forums.whonix.org/t/restrict-root-access/7658/1
|
## https://forums.whonix.org/t/restrict-root-access/7658/1
|
||||||
|
|
||||||
|
@ -43,11 +43,11 @@ fi
|
|||||||
|
|
||||||
if [ ! "$(id -u)" = "0" ]; then
|
if [ ! "$(id -u)" = "0" ]; then
|
||||||
## as user "user"
|
## as user "user"
|
||||||
## /sbin/pam_tally2 -u user
|
## /sbin/pam_faillock -u user
|
||||||
## pam_tally2: Error opening /var/log/tallylog for update: Permission denied
|
## pam_faillock: Error opening /var/log/tallylog for update: Permission denied
|
||||||
## /sbin/pam_tally2: Authentication error
|
## /sbin/pam_faillock: Authentication error
|
||||||
##
|
##
|
||||||
## xscreensaver runs as user "user", therefore pam_tally2 cannot function.
|
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
|
||||||
## xscreensaver has its own failed login counter.
|
## xscreensaver has its own failed login counter.
|
||||||
##
|
##
|
||||||
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
||||||
@ -74,9 +74,9 @@ fi
|
|||||||
# fi
|
# fi
|
||||||
|
|
||||||
## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
|
## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
|
||||||
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true
|
pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true
|
||||||
|
|
||||||
if [ "$pam_tally2_output" = "" ]; then
|
if [ "$pam_faillock_output" = "" ]; then
|
||||||
true "$0: no failed login"
|
true "$0: no failed login"
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
@ -85,11 +85,11 @@ fi
|
|||||||
#Login Failures Latest failure From
|
#Login Failures Latest failure From
|
||||||
#user 0
|
#user 0
|
||||||
|
|
||||||
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
|
pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)"
|
||||||
## Example:
|
## Example:
|
||||||
#user 0
|
#user 0
|
||||||
|
|
||||||
arr=($pam_tally2_output_last_line)
|
arr=($pam_faillock_output_last_line)
|
||||||
user_name="${arr[0]}"
|
user_name="${arr[0]}"
|
||||||
failed_login_counter="${arr[1]}"
|
failed_login_counter="${arr[1]}"
|
||||||
|
|
||||||
@ -107,7 +107,7 @@ fi
|
|||||||
|
|
||||||
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
|
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
|
||||||
## Example:
|
## Example:
|
||||||
#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
|
#auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
|
||||||
|
|
||||||
for word in $deny_line ; do
|
for word in $deny_line ; do
|
||||||
if echo "$word" | grep -q "deny=" ; then
|
if echo "$word" | grep -q "deny=" ; then
|
||||||
@ -130,7 +130,7 @@ if [ "$remaining_attempts" -le "0" ]; then
|
|||||||
echo "$0: To unlock, run the following command as superuser:" >&2
|
echo "$0: To unlock, run the following command as superuser:" >&2
|
||||||
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
||||||
echo "" >&2
|
echo "" >&2
|
||||||
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
|
echo "pam_faillock --quiet -r --user $PAM_USER" >&2
|
||||||
echo "" >&2
|
echo "" >&2
|
||||||
echo "$0: However, most likely unlock procedure is required." >&2
|
echo "$0: However, most likely unlock procedure is required." >&2
|
||||||
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
||||||
|
@ -20,7 +20,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
|
|||||||
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
|
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
|
||||||
|
|
||||||
## - Failed dovecot logins should not result in account getting locked.
|
## - Failed dovecot logins should not result in account getting locked.
|
||||||
## - Failed SSH public key authentication attempts do not increase pam_tally2
|
## - Failed SSH public key authentication attempts do not increase pam_faillock
|
||||||
## counter for some reason.
|
## counter for some reason.
|
||||||
## This list can later be extended as needed.
|
## This list can later be extended as needed.
|
||||||
pam_service_exclusion_list="dovecot"
|
pam_service_exclusion_list="dovecot"
|
||||||
@ -28,15 +28,15 @@ pam_service_exclusion_list="dovecot"
|
|||||||
for pam_service_exclusion_item in $pam_service_exclusion_list ; do
|
for pam_service_exclusion_item in $pam_service_exclusion_list ; do
|
||||||
if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
|
if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
|
||||||
## exit success so [success=1 default=ignore] will result in skipping the
|
## exit success so [success=1 default=ignore] will result in skipping the
|
||||||
## next PAM module (the pam_tally2 module).
|
## next PAM module (the pam_faillock module).
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
## exit failure so [success=1 default=ignore] will result in running the
|
## exit failure so [success=1 default=ignore] will result in running the
|
||||||
## next PAM module (the pam_tally2 module).
|
## next PAM module (the pam_faillock module).
|
||||||
##
|
##
|
||||||
## Causes confusing error message:
|
## Causes confusing error message:
|
||||||
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1
|
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1
|
||||||
## https://github.com/linux-pam/linux-pam/issues/329
|
## https://github.com/linux-pam/linux-pam/issues/329
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -3,9 +3,9 @@ Default: yes
|
|||||||
Priority: 290
|
Priority: 290
|
||||||
Auth-Type: Primary
|
Auth-Type: Primary
|
||||||
Auth:
|
Auth:
|
||||||
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info
|
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info
|
||||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x
|
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x
|
||||||
requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
|
requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
|
||||||
Account-Type: Primary
|
Account-Type: Primary
|
||||||
Account:
|
Account:
|
||||||
requisite pam_tally2.so debug
|
requisite pam_faillock.so debug
|
||||||
|
Loading…
Reference in New Issue
Block a user