mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-06-20 17:34:11 -04:00
41b2819ec8
to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1
79 lines
2.2 KiB
Bash
Executable file
79 lines
2.2 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
pam_tally2_output="$(pam_tally2 --user "$PAM_USER")"
|
|
|
|
if [ "$pam_tally2_output" = "" ]; then
|
|
true "$0: no failed login"
|
|
exit 0
|
|
fi
|
|
|
|
## Example:
|
|
#Login Failures Latest failure From
|
|
#user 0
|
|
|
|
pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)"
|
|
## Example:
|
|
#user 0
|
|
|
|
arr=($pam_tally2_output_last_line)
|
|
user_name="${arr[0]}"
|
|
failed_login_counter="${arr[1]}"
|
|
|
|
if [ ! "$PAM_USER" = "$user_name" ]; then
|
|
echo "$0: ERROR: PAM_USER: $PAM_USER does not equal user_name: '$user_name'." >&2
|
|
echo "$0: ERROR: Please report this bug." >&2
|
|
echo "" >&2
|
|
exit 0
|
|
fi
|
|
|
|
if [ "$failed_login_counter" = "0" ]; then
|
|
true "$0: INFO: Failed login counter is 0, ok."
|
|
exit 0
|
|
fi
|
|
|
|
deny_line="$(cat /etc/pam.d/common-auth | grep deny=)"
|
|
## Example:
|
|
#auth requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug
|
|
|
|
for word in $deny_line ; do
|
|
if echo "$word" | grep -q "deny=" ; then
|
|
deny="$(echo "$word" | cut -d "=" -f 2)"
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [[ "$deny" == *[!0-9]* ]]; then
|
|
echo "$0: ERROR: deny is not numeric." >&2
|
|
echo "$0: ERROR: Please report this bug." >&2
|
|
echo "" >&2
|
|
exit 0
|
|
fi
|
|
|
|
remaining_attempts="$(( $deny - $failed_login_counter ))"
|
|
|
|
if [ "$remaining_attempts" -le "0" ]; then
|
|
echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2
|
|
echo "$0: To unlock, run the following command as superuser:" >&2
|
|
echo "$0: (If you still have a sudo/root shell somewhere.)" >&2
|
|
echo "" >&2
|
|
echo "pam_tally2 --quiet -r --user $PAM_USER" >&2
|
|
echo "" >&2
|
|
echo "$0: However, most likely unlock procedure is required." >&2
|
|
echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2
|
|
echo "$0: See also:" >&2
|
|
echo "https://www.whonix.org/wiki/root#unlock" >&2
|
|
echo "" >&2
|
|
exit 0
|
|
fi
|
|
|
|
echo "$0: WARNING: $failed_login_counter failed login attempts." >&2
|
|
echo "$0: Login will be blocked after $deny attempts." >&2
|
|
echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2
|
|
echo "" >&2
|
|
|
|
if [ "$PAM_SERVICE" = "su" ]; then
|
|
echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2
|
|
echo "" >&2
|
|
fi
|
|
|
|
exit 0
|