Package: shadow / 1:4.2-3+deb8u4

429_login_FAILLOG_ENAB Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
Goal: Re-enable logging and displaying failures on login when login is
      compiled with PAM and when FAILLOG_ENAB is set to yes. And create the
      faillog file if it does not exist on postinst (as on Woody).
Depends: 008_login_more_LOG_UNKFAIL_ENAB
Fixes: #192849

Note: It could be removed if pam_tally could report the number of failures
      preceding a successful login.

Index: git/src/login.c
===================================================================
--- git.orig/src/login.c
+++ git/src/login.c
@@ -131,9 +131,9 @@
                          const char *host,
                          /*@null@*/const struct utmp *utent);
 
-#ifndef USE_PAM
 static struct faillog faillog;
 
+#ifndef USE_PAM
 static void bad_time_notify (void);
 static void check_nologin (bool login_to_root);
 #else
@@ -791,6 +791,9 @@
 				SYSLOG ((LOG_NOTICE,
 				         "TOO MANY LOGIN TRIES (%u)%s FOR '%s'",
 				         failcount, fromhost, failent_user));
+				if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+					failure (pwd->pw_uid, tty, &faillog);
+				}
 				fprintf (stderr,
 				         _("Maximum number of tries exceeded (%u)\n"),
 				         failcount);
@@ -808,6 +811,14 @@
 				         pam_strerror (pamh, retcode)));
 				failed = true;
 			}
+			if (   (NULL != pwd)
+			    && getdef_bool("FAILLOG_ENAB")
+			    && ! failcheck (pwd->pw_uid, &faillog, failed)) {
+				SYSLOG((LOG_CRIT,
+				        "exceeded failure limit for `%s' %s",
+				        failent_user, fromhost));
+				failed = 1;
+			}
 
 			if (!failed) {
 				break;
@@ -831,6 +842,10 @@
 			(void) puts ("");
 			(void) puts (_("Login incorrect"));
 
+			if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
+				failure (pwd->pw_uid, tty, &faillog);
+			}
+
 			if (getdef_str("FTMP_FILE") != NULL) {
 #ifdef USE_UTMPX
 				struct utmpx *failent =
@@ -1285,6 +1300,7 @@
 		 */
 #ifndef USE_PAM
 		motd ();	/* print the message of the day */
+#endif
 		if (   getdef_bool ("FAILLOG_ENAB")
 		    && (0 != faillog.fail_cnt)) {
 			failprint (&faillog);
@@ -1297,6 +1313,7 @@
 				         username, (int) faillog.fail_cnt));
 			}
 		}
+#ifndef USE_PAM
 		if (   getdef_bool ("LASTLOG_ENAB")
 		    && (ll.ll_time != 0)) {
 			time_t ll_time = ll.ll_time;
Index: git/lib/getdef.c
===================================================================
--- git.orig/lib/getdef.c
+++ git/lib/getdef.c
@@ -61,6 +61,7 @@
 	{"ENV_SUPATH", NULL},
 	{"ERASECHAR", NULL},
 	{"FAIL_DELAY", NULL},
+	{"FAILLOG_ENAB", NULL},
 	{"FAKE_SHELL", NULL},
 	{"FTMP_FILE", NULL},
 	{"GID_MAX", NULL},
@@ -109,7 +110,6 @@
 	{"ENV_HZ", NULL},
 	{"ENVIRON_FILE", NULL},
 	{"ENV_TZ", NULL},
-	{"FAILLOG_ENAB", NULL},
 	{"ISSUE_FILE", NULL},
 	{"LASTLOG_ENAB", NULL},
 	{"LOGIN_STRING", NULL},