mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 06:59:25 -05:00
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
This commit is contained in:
parent
2aea74bd71
commit
2bf0e7471c
@ -282,7 +282,7 @@ See:
|
||||
|
||||
## Brute force attack protection
|
||||
|
||||
User accounts are locked after 50 failed login attempts using `pam_tally2`.
|
||||
User accounts are locked after 50 failed login attempts using `pam_faillock`.
|
||||
|
||||
Informational output during Linux PAM:
|
||||
|
||||
@ -294,7 +294,7 @@ Informational output during Linux PAM:
|
||||
See:
|
||||
|
||||
* `/usr/share/pam-configs/tally2-security-misc`
|
||||
* `/usr/libexec/security-misc/pam_tally2-info`
|
||||
* `/usr/libexec/security-misc/pam-info`
|
||||
* `/usr/libexec/security-misc/pam-abort-on-locked-password`
|
||||
|
||||
## Access rights restrictions
|
||||
|
@ -3,7 +3,7 @@
|
||||
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## This is only a usability feature to avoid needlessly bumping pam_tally2
|
||||
## This is only a usability feature to avoid needlessly bumping pam_faillock
|
||||
## counter. This is not a security feature.
|
||||
## https://forums.whonix.org/t/restrict-root-access/7658/1
|
||||
|
||||
|
@ -43,11 +43,11 @@ fi
|
||||
|
||||
if [ ! "$(id -u)" = "0" ]; then
|
||||
## as user "user"
|
||||
## /sbin/pam_tally2 -u user
|
||||
## pam_tally2: Error opening /var/log/tallylog for update: Permission denied
|
||||
## /sbin/pam_tally2: Authentication error
|
||||
## /sbin/pam_faillock -u user
|
||||
## pam_faillock: Error opening /var/log/tallylog for update: Permission denied
|
||||
## /sbin/pam_faillock: Authentication error
|
||||
##
|
||||
## xscreensaver runs as user "user", therefore pam_tally2 cannot function.
|
||||
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
|
||||
## xscreensaver has its own failed login counter.
|
||||
##
|
||||
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
|
||||
@ -74,9 +74,9 @@ fi
|
||||
# fi
|
||||
|
||||
## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
|
||||
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true
|
||||
pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true
|
||||
|
||||
if [ "$pam_tally2_output" = "" ]; then
|
||||
if [ "$pam_faillock_output" = "" ]; then
|
||||
true "$0: no failed login"
|
||||
exit 0
|
||||
fi
|
||||
@ -85,11 +85,11 @@ fi
|
||||
#Login Failures Latest failure From
|
||||
#user 0
|
||||
|
||||
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
|
||||
pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)"
|
||||
## Example:
|
||||
#user 0
|
||||
|
||||
arr=($pam_tally2_output_last_line)
|
||||
arr=($pam_faillock_output_last_line)
|
||||
user_name="${arr[0]}"
|
||||
failed_login_counter="${arr[1]}"
|
||||
|
||||
@ -107,7 +107,7 @@ fi
|
||||
|
||||
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
|
||||
## Example:
|
||||
#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
|
||||
#auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
|
||||
|
||||
for word in $deny_line ; do
|
||||
if echo "$word" | grep -q "deny=" ; then
|
||||
@ -130,7 +130,7 @@ if [ "$remaining_attempts" -le "0" ]; then
|
||||
echo "$0: To unlock, run the following command as superuser:" >&2
|
||||
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
||||
echo "" >&2
|
||||
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
|
||||
echo "pam_faillock --quiet -r --user $PAM_USER" >&2
|
||||
echo "" >&2
|
||||
echo "$0: However, most likely unlock procedure is required." >&2
|
||||
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
||||
|
@ -20,7 +20,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
|
||||
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
|
||||
|
||||
## - Failed dovecot logins should not result in account getting locked.
|
||||
## - Failed SSH public key authentication attempts do not increase pam_tally2
|
||||
## - Failed SSH public key authentication attempts do not increase pam_faillock
|
||||
## counter for some reason.
|
||||
## This list can later be extended as needed.
|
||||
pam_service_exclusion_list="dovecot"
|
||||
@ -28,15 +28,15 @@ pam_service_exclusion_list="dovecot"
|
||||
for pam_service_exclusion_item in $pam_service_exclusion_list ; do
|
||||
if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
|
||||
## exit success so [success=1 default=ignore] will result in skipping the
|
||||
## next PAM module (the pam_tally2 module).
|
||||
## next PAM module (the pam_faillock module).
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
|
||||
## exit failure so [success=1 default=ignore] will result in running the
|
||||
## next PAM module (the pam_tally2 module).
|
||||
## next PAM module (the pam_faillock module).
|
||||
##
|
||||
## Causes confusing error message:
|
||||
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1
|
||||
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1
|
||||
## https://github.com/linux-pam/linux-pam/issues/329
|
||||
exit 1
|
||||
|
@ -3,9 +3,9 @@ Default: yes
|
||||
Priority: 290
|
||||
Auth-Type: Primary
|
||||
Auth:
|
||||
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info
|
||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x
|
||||
requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
|
||||
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info
|
||||
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x
|
||||
requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
|
||||
Account-Type: Primary
|
||||
Account:
|
||||
requisite pam_tally2.so debug
|
||||
requisite pam_faillock.so debug
|
||||
|
Loading…
Reference in New Issue
Block a user