#define OPT_AUDIT 0100
#define OPT_NOLOGNOTICE 0400
#define OPT_SERIALIZE 01000
+#define OPT_DEBUG 02000
#define MAX_LOCK_WAITING_TIME 10
else if ( ! strcmp( *argv, "serialize" ) ) {
opts->ctrl |= OPT_SERIALIZE;
}
+ else if ( ! strcmp( *argv, "debug" ) ) {
+ opts->ctrl |= OPT_DEBUG;
+ }
else if ( ! strcmp( *argv, "even_deny_root_account" ) ||
! strcmp( *argv, "even_deny_root" ) ) {
log_phase_no_auth(pamh, phase, *argv);
alarm(oldalarm);
}
- if (fileinfo.st_size < (off_t)(uid+1)*(off_t)sizeof(*tally)) {
- memset(tally, 0, sizeof(*tally));
- } else if (pam_modutil_read(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) {
+ if (pam_modutil_read(*tfile, void_tally, sizeof(*tally)) != sizeof(*tally)) {
memset(tally, 0, sizeof(*tally));
- /* Shouldn't happen */
}
tally->fail_line[sizeof(tally->fail_line)-1] = '\0';
struct tallylog *tally)
{
int rv = PAM_SUCCESS;
+ int loglevel = LOG_DEBUG;
#ifdef HAVE_LIBAUDIT
char buf[64];
int audit_fd = -1;
+ const void *rhost = NULL, *tty = NULL;
#endif
if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT))
return PAM_SYSTEM_ERR;
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
#endif
if (opts->deny != 0 && /* deny==0 means no deny */
tally->fail_cnt > opts->deny && /* tally>deny means exceeded */
/* First say that max number was hit. */
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
if (uid) {
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
#ifdef HAVE_LIBAUDIT
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
#endif
rv = PAM_SUCCESS;
goto cleanup;
if (tally->fail_cnt == opts->deny+1) {
/* First say that max number was hit. */
audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
- NULL, NULL, NULL, 1);
+ rhost, NULL, tty, 1);
}
#endif
pam_info(pamh, _("Account locked due to %u failed logins"),
(unsigned int)tally->fail_cnt);
}
- if (!(opts->ctrl & OPT_NOLOGNOTICE)) {
- pam_syslog(pamh, LOG_NOTICE,
- "user %s (%lu) tally %hu, deny %hu",
- user, (unsigned long)uid, tally->fail_cnt, opts->deny);
- }
+ loglevel = LOG_NOTICE;
rv = PAM_AUTH_ERR; /* Only unconditional failure */
goto cleanup;
}
}
cleanup:
+ if (!(opts->ctrl & OPT_NOLOGNOTICE) && (loglevel != LOG_DEBUG || opts->ctrl & OPT_DEBUG)) {
+ pam_syslog(pamh, loglevel,
+ "user %s (%lu) tally %hu, deny %hu",
+ user, (unsigned long)uid, tally->fail_cnt, opts->deny);
+ }
#ifdef HAVE_LIBAUDIT
if (audit_fd != -1) {
close(audit_fd);
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif
int audit_fd = audit_open();
snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
- buf, NULL, NULL, NULL, 1);
+ buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
if (audit_fd >=0)
close(audit_fd);
#endif