Pwauth Change Log
=================
+VERSION 2.3.10 - Oct 5, 2011
+ - Changed the serialized sleep code in snooze.c to use fcntl() locking
+ instead of flock() locking. Fcntl() locking is a POSIX standard and
+ is likely to work better on more systems, notably including Solaris
+ which doesn't seem to support flock() at all any more.
+ - Minor fixes to typos in various documentation.
+
VERSION 2.3.9 - May 2, 2011
- Add AUTHENTICATE_AIX option for authenticating via AIX's authentication
configuration system. Thanks to Hans Dieter Petersen of the University
that root access isn't required, you should be able to use mod_auth_pam
instead of mod_auth_external and pwauth and get faster authentications.
- (6) Test the pwauth program. As root, you can just run the thing, type
+ (7) Test the pwauth program. As root, you can just run the thing, type
in a login (hit return) and a password (hit return), and then check
the exit code (in csh: "echo $status" in sh: "echo $?"). It should
be 0 for correct login/password pairs and 1 otherwise.
- (7) Install it in some sensible place (say, /usr/local/libexec/pwauth).
+ (8) Install it in some sensible place (say, /usr/local/libexec/pwauth).
Unless you are doing SHADOW_NONE, it should be suid-root, so that
it has the necessary access to read the shadow file. That is, the
file should be owned by root, and you should do "chmod u+s pwauth" on
*
* - AUTHENTICATE_AIX: AIX has it's own system for configuring authentication
* via various files in the /etc/security directory. This can be used to
- * configure special authenication parameters on a per-user basis including
+ * configure special authentication parameters on a per-user basis including
* things like authenticating via kerberos and ldap and such like. We can
* tie into this interface via the authenticate() system call. The module
- * to suppor this was contributed by a user and has not been tested by
+ * to support this was contributed by a user and has not been tested by
* the author.
*/
/* #define AUTHENTICATE_AIX /* AIX authenticate() function */
-/* There is also limited support for two failure logging systems (the database
- * that informs you that "there have been 3426 unsuccessful attempts to log
- * into your account since your last login" and which may disable accounts
- * with too many failed logins).
+/* There is also limited support for three failure logging systems (the
+ * database that informs you that "there have been 3426 unsuccessful attempts
+ * to log into your account since your last login" and which may disable
+ * accounts with too many failed logins).
*
* If a FAILLOG option is enabled, pwauth will increment the failure count
- * each time there is a failed attempt to login. Depending on the the
+ * each time there is a failed attempt to login. Depending on the
* configuration, it may also deny logins to users who have had too many
* bad login attempts.
*
* in faillog.h.
*
* - FAILLOG_OPENBSD: OpenBSD has a faillog, although it does not disable
- * logins if any maximum exceeded. Failure counts are kept in
+ * logins if any maximum is exceeded. Failure counts are kept in
* /var/log/failedlogin. There is no system header file that defines the
* format of this file, however. Instead the definition for the file
* format is embedded in the "login" source code. Bad things will happen
* to change the uid list.
*/
-#define SERVER_UIDS 72 /* user "nobody" */
+#define SERVER_UIDS 30 /* user "wwwrun" on the author's system */
/* If MIN_UNIX_UID is defined to an integer, logins with uid numbers less than
/* If IGNORE_CASE is defined, the login given is checked in two different
* ways. First without any changes and then with all letters converted to
* lower case. This is useful for users accustomed to the Windows environment.
+ * This ignores the case of the login name only, not the password.
*/
/* #define IGNORE_CASE /**/
/* If DOMAIN_AWARE is enabled, then we we check login names to see if they
* contain a backslash, and discard anything up to and including the backslash.
- * This is for use in environments where there are windows users accustomed
+ * This is for use in environments where there are Windows users accustomed
* to login names formed like "domain\username".
*/
snooze(int seconds)
{
int slfd;
+ struct flock lock;
+ lock.l_type= F_WRLCK;
+ lock.l_whence= SEEK_SET;
+ lock.l_start= 0;
+ lock.l_len= 0;
/* Lock the sleep-lock file to serialize our sleeps */
- if ((slfd= open(SLEEP_LOCK,O_CREAT|O_RDONLY,0644)) >= 0)
- flock(slfd,LOCK_EX);
+
+ if ((slfd= open(SLEEP_LOCK,O_CREAT|O_RDWR,0644)) >= 0)
+ fcntl(slfd,F_SETLKW,&lock);
sleep(seconds);
/* Release sleep-lock file */
- /*flock(slfd,LOCK_UN);*/
+ /*lock.l_type= F_UNLCK; fcntl(slfd,F_SETLK,&lock);*/
close(slfd);
}