Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

skip counting failed login attempts from dovecot

Browse Source 
Failed dovecot logins should not result in account getting locked.

revert "use pam_tally2 only for login"
This commit is contained in:
Patrick Schleizer 2021-01-27 05:49:34 -05:00
parent 480f74cab6
commit 9622f28e25
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
usr/lib/security-misc/pam_tally2_not_if_x Executable file
View File

@ -0,0 +1,38 @@
#!/bin/bash
## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
set -x
true "PAM_SERVICE: $PAM_SERVICE"
## PAM configuration notes
##
## success=$num
## "will specify how many rules to skip when successful."
## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
##
## ignore
## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains."
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html
## - Failed dovecot logins should not result in account getting locked.
## - Failed SSH public key authentication attempts do not increase pam_tally2
## counter for some reason.
## This list can later be extended as needed.
pam_service_exclusion_list="dovecot"
for pam_service_exclusion_item in $pam_service_exclusion_list ; do
if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
## exit success so [success=1 default=ignore] will result in skipping the
## next PAM module (the pam_tally2 module).
exit 0
fi
done
## exit failure so [success=1 default=ignore] will result in running the
## next PAM module (the pam_tally2 module).
exit 1

2
usr/share/pam-configs/tally2-security-misc
View File

@ -4,7 +4,7 @@ Priority: 290
Auth-Type: Primary Auth-Type: Primary
Auth: Auth:
optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info
[success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_tally2_not_if_x
requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug
Account-Type: Primary Account-Type: Primary
Account: Account: