[Pkg-shadow-commits] r319 - trunk/debian/patches
Nicolas FRANCOIS
pkg-shadow-devel@lists.alioth.debian.org
Wed, 29 Jun 2005 20:29:05 +0000
Author: nekral-guest
Date: 2005-06-29 20:29:04 +0000 (Wed, 29 Jun 2005)
New Revision: 319
Added:
trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB
Removed:
trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB
Modified:
trunk/debian/patches/series
Log:
This patch enforce the LOG_UNKFAIL_ENAB setting. It should be kept.
Deleted: trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB
===================================================================
--- trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB 2005-06-29 20:08:51 UTC (rev 318)
+++ trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB 2005-06-29 20:29:04 UTC (rev 319)
@@ -1,141 +0,0 @@
-Goal: the username should be logged as UNKNOWN if LOG_UNKFAIL_ENAB is not set.
-
-Status wrt upstream: It should be applied upstream, or kept.
-
-Notes:
- * This patch also adds the following minor changes (which are not easy to
- extract from this patch):
- + TOO MANY LOGIN... logged if PAM_MAXTRIES or failcount >= retries.
- Upstream only test PAM_MAXTRIES.
- + Print to stderr (in addition to syslog) in case of maximum number of
- tries exceeded.
- + Always prints the number of tries in the syslog entry.
- + add special handling for PAM_ABORT
- * This patch also adds the following non-minor change:
- + add an entry to failog, as when USE_PAM is not defined. (#53164)
- * The patch changed pam_end to PAM_END. This is certainly a mistake.
- PAM_END is pam_close_seesion + pam_end. Here, the session is still not
- open, we don't have to close it.
- * a HAVE_PAM_FAIL_DELAY is missing
-
-Additional note:
- * There are direct call to syslog. These calls should be replaced by the
- indirect SYSLOG, which set the locale to C (this avoid having localized
- time). However, this change is not done in this patch, but a patch has
- been submitted upstream.
-
-
-Index: shadow-4.0.3/src/login.c
-===================================================================
---- shadow-4.0.3.orig/src/login.c 2005-05-29 00:06:16.954189000 +0200
-+++ shadow-4.0.3/src/login.c 2005-05-29 00:06:56.174189000 +0200
-@@ -775,49 +775,68 @@
- * MAX_LOGIN_TRIES?
- */
-
-- retcode = pam_authenticate (pamh, 0);
-- while ((failcount++ < retries) &&
-- ((retcode == PAM_AUTH_ERR) ||
-- (retcode == PAM_USER_UNKNOWN) ||
-- (retcode == PAM_CRED_INSUFFICIENT) ||
-- (retcode == PAM_AUTHINFO_UNAVAIL))) {
-- pam_get_item (pamh, PAM_USER,
-- (const void **) &pam_user);
-- syslog (LOG_NOTICE,
-- "FAILED LOGIN %d FROM %s FOR %s, %s",
-- failcount, hostname, pam_user,
-- pam_strerror (pamh, retcode));
--#ifdef HAVE_PAM_FAIL_DELAY
-- pam_fail_delay (pamh, 1000000 * delay);
--#endif
-- fprintf (stderr, "Login incorrect\n\n");
-- pam_set_item (pamh, PAM_USER, NULL);
-- retcode = pam_authenticate (pamh, 0);
-- }
--
-- if (retcode != PAM_SUCCESS) {
-- pam_get_item (pamh, PAM_USER,
-- (const void **) &pam_user);
--
-- if (retcode == PAM_MAXTRIES)
-- syslog (LOG_NOTICE,
-- "TOO MANY LOGIN TRIES (%d) FROM %s FOR %s, %s",
-- failcount, hostname,
-- pam_user,
-- pam_strerror (pamh,
-- retcode));
-- else
-- syslog (LOG_NOTICE,
-- "FAILED LOGIN SESSION FROM %s FOR %s, %s",
-- hostname, pam_user,
-- pam_strerror (pamh,
-- retcode));
--
-- fprintf (stderr, "\nLogin incorrect\n");
-- pam_end (pamh, retcode);
-- exit (0);
-+ failcount = 0;
-+ while (1) {
-+ const char *failent_user;
-+ failed = 0;
-+
-+ failcount++;
-+ if (delay > 0)
-+ retcode = pam_fail_delay(pamh, 1000000*delay);
-+
-+ retcode = pam_authenticate (pamh, 0);
-+
-+ pam_get_item (pamh, PAM_USER,
-+ (const void **) &pam_user);
-+
-+ if (pam_user && pam_user[0]) {
-+ pwd = getpwnam(pam_user);
-+ if (pwd) {
-+ pwent = *pwd;
-+ failent_user = pwent.pw_name;
-+ } else {
-+ if (getdef_bool("LOG_UNKFAIL_ENAB") && pam_user)
-+ failent_user = pam_user;
-+ else
-+ failent_user = "UNKNOWN";
-+ }
-+ } else {
-+ pwd = NULL;
-+ failent_user = "UNKNOWN";
-+ }
-+
-+ if (retcode == PAM_MAXTRIES || failcount >= retries) {
-+ syslog (LOG_NOTICE,
-+ "TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
-+ failcount, fromhost, failent_user);
-+ fprintf(stderr,
-+ _("Maximum number of tries exceeded (%d)\n"),
-+ failcount);
-+ PAM_END;
-+ exit(0);
-+ } else if (retcode == PAM_ABORT) {
-+ /* Serious problems, quit now */
-+ fprintf(stderr,_("login: abort requested by PAM\n"));
-+ syslog(LOG_ERR,"PAM_ABORT returned from pam_authenticate()");
-+ PAM_END;
-+ exit(99);
-+ } else if (retcode != PAM_SUCCESS) {
-+ syslog(LOG_NOTICE,"FAILED LOGIN (%d)%s FOR `%s', %s",
-+ failcount, fromhost, failent_user,
-+ pam_strerror (pamh, retcode));
-+ failed = 1;
-+ }
-+
-+ if (!failed)
-+ break;
-+
-+ fprintf(stderr,"Login incorrect\n\n");
-+
-+ /* Let's give it another go around */
-+ pam_set_item(pamh,PAM_USER,NULL);
- }
-
-+ /* We don't get here unless they were authenticated above */
- retcode = pam_acct_mgmt (pamh, 0);
-
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
Copied: trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB (from rev 318, trunk/debian/patches/008_login_more_LOG_UNKFAIL_ENAB)
Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series 2005-06-29 20:08:51 UTC (rev 318)
+++ trunk/debian/patches/series 2005-06-29 20:29:04 UTC (rev 319)
@@ -34,7 +34,7 @@
428_grpck_add_prune_option
008_login_stop_checking_args_after--
349_login_opt-f_with_username_after--
-008_login_more_LOG_UNKFAIL_ENAB
+433_login_more_LOG_UNKFAIL_ENAB
008_login_log_failure_in_FTMP
429_login_FAILLOG_ENAB
432_login_cancel_timout_after_authentication