port from pam_tally2 to pam_faillock

since pam_tally2 was deprecated upstream
This commit is contained in:
Patrick Schleizer 2021-08-10 15:11:01 -04:00
parent 2aea74bd71
commit 2bf0e7471c
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
5 changed files with 21 additions and 21 deletions

View File

@ -282,7 +282,7 @@ See:
## Brute force attack protection
User accounts are locked after 50 failed login attempts using `pam_tally2`.
User accounts are locked after 50 failed login attempts using `pam_faillock`.
Informational output during Linux PAM:
@ -294,7 +294,7 @@ Informational output during Linux PAM:
See:
* `/usr/share/pam-configs/tally2-security-misc`
* `/usr/libexec/security-misc/pam_tally2-info`
* `/usr/libexec/security-misc/pam-info`
* `/usr/libexec/security-misc/pam-abort-on-locked-password`
## Access rights restrictions

View File

@ -3,7 +3,7 @@
## Copyright (C) 2019 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## This is only a usability feature to avoid needlessly bumping pam_tally2
## This is only a usability feature to avoid needlessly bumping pam_faillock
## counter. This is not a security feature.
## https://forums.whonix.org/t/restrict-root-access/7658/1

View File

@ -43,11 +43,11 @@ fi
if [ ! "$(id -u)" = "0" ]; then
## as user "user"
## /sbin/pam_tally2 -u user
## pam_tally2: Error opening /var/log/tallylog for update: Permission denied
## /sbin/pam_tally2: Authentication error
## /sbin/pam_faillock -u user
## pam_faillock: Error opening /var/log/tallylog for update: Permission denied
## /sbin/pam_faillock: Authentication error
##
## xscreensaver runs as user "user", therefore pam_tally2 cannot function.
## xscreensaver runs as user "user", therefore pam_faillock cannot function.
## xscreensaver has its own failed login counter.
##
## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
@ -74,9 +74,9 @@ fi
# fi
## Using || true to not break read-only disk boot without ro-mode-init or grub-live.
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" || true
pam_faillock_output="$(pam_faillock --user "$PAM_USER")" || true
if [ "$pam_tally2_output" = "" ]; then
if [ "$pam_faillock_output" = "" ]; then
true "$0: no failed login"
exit 0
fi
@ -85,11 +85,11 @@ fi
#Login Failures Latest failure From
#user 0
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
pam_faillock_output_last_line="$(echo "$pam_faillock_output" | tail -1)"
## Example:
#user 0
arr=($pam_tally2_output_last_line)
arr=($pam_faillock_output_last_line)
user_name="${arr[0]}"
failed_login_counter="${arr[1]}"
@ -107,7 +107,7 @@ fi
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
## Example:
#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
#auth requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
for word in $deny_line ; do
if echo "$word" | grep -q "deny=" ; then
@ -130,7 +130,7 @@ if [ "$remaining_attempts" -le "0" ]; then
echo "$0: To unlock, run the following command as superuser:" >&2
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
echo "" >&2
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
echo "pam_faillock --quiet -r --user $PAM_USER" >&2
echo "" >&2
echo "$0: However, most likely unlock procedure is required." >&2
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2

View File

@ -20,7 +20,7 @@ true "PAM_SERVICE: $PAM_SERVICE"
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
## - Failed dovecot logins should not result in account getting locked.
## - Failed SSH public key authentication attempts do not increase pam_tally2
## - Failed SSH public key authentication attempts do not increase pam_faillock
## counter for some reason.
## This list can later be extended as needed.
pam_service_exclusion_list="dovecot"
@ -28,15 +28,15 @@ pam_service_exclusion_list="dovecot"
for pam_service_exclusion_item in $pam_service_exclusion_list ; do
if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
## exit success so [success=1 default=ignore] will result in skipping the
## next PAM module (the pam_tally2 module).
## next PAM module (the pam_faillock module).
exit 0
fi
done
## exit failure so [success=1 default=ignore] will result in running the
## next PAM module (the pam_tally2 module).
## next PAM module (the pam_faillock module).
##
## Causes confusing error message:
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_tally2_not_if_x failed: exit code 1
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1
## https://github.com/linux-pam/linux-pam/issues/329
exit 1

View File

@ -3,9 +3,9 @@ Default: yes
Priority: 290
Auth-Type: Primary
Auth:
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam_tally2-info
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_tally2_not_if_x
requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x
requisite pam_faillock.so even_deny_root deny=50 onerr=fail audit debug
Account-Type: Primary
Account:
requisite pam_tally2.so debug
requisite pam_faillock.so debug