#!/bin/bash

## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files

set -x

true "PAM_SERVICE: $PAM_SERVICE"

## PAM configuration notes
##
## success=$num
## "will specify how many rules to skip when successful."
## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files
##
## ignore
## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains."
## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html

## - Failed dovecot ssh logins from malicious remotes should not result in account getting locked.
## This list can later be extended as needed.
pam_service_exclusion_list="dovecot sshd"

for pam_service_exclusion_item in $pam_service_exclusion_list ; do
   if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then
      ## exit success so [success=1 default=ignore] will result in skipping the
      ## next PAM module (the pam_faillock module).
      exit 0
   fi
done

## exit failure so [success=1 default=ignore] will result in running the
## next PAM module (the pam_faillock module).
##
## Causes confusing error message:
## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1
## https://github.com/linux-pam/linux-pam/issues/329
exit 1