[Pkg-shadow-commits] r851 - trunk/debian/patches
Christian Perrier
bubulle at costa.debian.org
Wed Feb 8 21:28:11 UTC 2006
Author: bubulle
Date: 2006-02-08 21:28:10 +0000 (Wed, 08 Feb 2006)
New Revision: 851
Added:
trunk/debian/patches/333_login_more_LOG_UNKFAIL_ENAB
Removed:
trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB
Log:
Move to 3xx
Copied: trunk/debian/patches/333_login_more_LOG_UNKFAIL_ENAB (from rev 850, trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB)
Deleted: trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB
===================================================================
--- trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB 2006-02-08 21:27:33 UTC (rev 850)
+++ trunk/debian/patches/433_login_more_LOG_UNKFAIL_ENAB 2006-02-08 21:28:10 UTC (rev 851)
@@ -1,163 +0,0 @@
-Goal: the username should be logged as UNKNOWN if LOG_UNKFAIL_ENAB is not set.
-
-Status wrt upstream: will be in 4.0.15
-
-Notes:
- * This patch also adds the following minor changes (which are not easy to
- extract from this patch):
- + TOO MANY LOGIN... logged if PAM_MAXTRIES or failcount >= retries.
- Upstream only test PAM_MAXTRIES.
- + Print to stderr (in addition to syslog) in case of maximum number of
- tries exceeded.
- + Always prints the number of tries in the syslog entry.
- + add special handling for PAM_ABORT
- * This patch also adds the following non-minor change:
- + add an entry to failog, as when USE_PAM is not defined. (#53164)
- * The patch changed pam_end to PAM_END. This is certainly a mistake.
- PAM_END is pam_close_seesion + pam_end. Here, the session is still not
- open, we don't have to close it.
- * a HAVE_PAM_FAIL_DELAY is missing
-
-Index: shadow-4.0.14/src/login.c
-===================================================================
---- shadow-4.0.14.orig/src/login.c 2006-01-03 08:25:01.557624818 +0100
-+++ shadow-4.0.14/src/login.c 2006-01-03 08:25:01.887557833 +0100
-@@ -629,68 +629,60 @@
- * pay attention to failure count and get rid of
- * MAX_LOGIN_TRIES?
- */
-- retcode = pam_authenticate (pamh, 0);
-- while ((failcount++ < retries) &&
-- ((retcode == PAM_AUTH_ERR) ||
-- (retcode == PAM_USER_UNKNOWN) ||
-- (retcode == PAM_CRED_INSUFFICIENT) ||
-- (retcode == PAM_AUTHINFO_UNAVAIL))) {
-- pam_get_item (pamh, PAM_USER,
-- (const void **) &pam_user);
-- SYSLOG ((LOG_NOTICE,
-- "FAILED LOGIN %d FROM %s FOR %s, %s",
-- failcount, hostname, pam_user,
-- pam_strerror (pamh, retcode)));
--#ifdef HAVE_PAM_FAIL_DELAY
-- pam_fail_delay (pamh, 1000000 * delay);
--#endif
--#ifdef WITH_AUDIT
-- {
-- struct passwd *pw;
-- char buf[64];
--
-- audit_fd = audit_open ();
-- pw = getpwnam (username);
-- if (pw) {
-- snprintf (buf, sizeof (buf),
-- "uid=%d", pw->pw_uid);
-- audit_log_user_message
-- (audit_fd, AUDIT_USER_LOGIN,
-- buf, hostname, NULL,
-- tty, 0);
-- } else {
-- snprintf (buf, sizeof (buf),
-- "acct=%s", username);
-- audit_log_user_message
-- (audit_fd, AUDIT_USER_LOGIN,
-- buf, hostname, NULL,
-- tty, 0);
-- }
-- close (audit_fd);
-- }
--#endif /* WITH_AUDIT */
--
-- fprintf (stderr, _("\nLogin incorrect\n"));
-- pam_set_item (pamh, PAM_USER, NULL);
-- retcode = pam_authenticate (pamh, 0);
-- }
--
-- if (retcode != PAM_SUCCESS) {
-- pam_get_item (pamh, PAM_USER,
-- (const void **) &pam_user);
--
-- if (retcode == PAM_MAXTRIES)
-- SYSLOG ((LOG_NOTICE,
-- "TOO MANY LOGIN TRIES (%d) FROM %s FOR %s, %s",
-- failcount, hostname,
-- pam_user,
-- pam_strerror (pamh, retcode)));
-- else
-- SYSLOG ((LOG_NOTICE,
-- "FAILED LOGIN SESSION FROM %s FOR %s, %s",
-- hostname, pam_user,
-- pam_strerror (pamh, retcode)));
-+ failcount = 0;
-+ while (1) {
-+ const char *failent_user;
-+ failed = 0;
-+
-+ failcount++;
-+ if (delay > 0)
-+ retcode = pam_fail_delay(pamh, 1000000*delay);
-+
-+ retcode = pam_authenticate (pamh, 0);
-+
-+ pam_get_item (pamh, PAM_USER,
-+ (const void **) &pam_user);
-+
-+ if (pam_user && pam_user[0]) {
-+ pwd = getpwnam(pam_user);
-+ if (pwd) {
-+ pwent = *pwd;
-+ failent_user = pwent.pw_name;
-+ } else {
-+ if (getdef_bool("LOG_UNKFAIL_ENAB") && pam_user)
-+ failent_user = pam_user;
-+ else
-+ failent_user = "UNKNOWN";
-+ }
-+ } else {
-+ pwd = NULL;
-+ failent_user = "UNKNOWN";
-+ }
-+
-+ if (retcode == PAM_MAXTRIES || failcount >= retries) {
-+ SYSLOG ((LOG_NOTICE,
-+ "TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
-+ failcount, fromhost, failent_user));
-+ fprintf(stderr,
-+ _("Maximum number of tries exceeded (%d)\n"),
-+ failcount);
-+ PAM_END;
-+ exit(0);
-+ } else if (retcode == PAM_ABORT) {
-+ /* Serious problems, quit now */
-+ fprintf(stderr,_("login: abort requested by PAM\n"));
-+ SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
-+ PAM_END;
-+ exit(99);
-+ } else if (retcode != PAM_SUCCESS) {
-+ SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR `%s', %s",
-+ failcount, fromhost, failent_user,
-+ pam_strerror (pamh, retcode)));
-+ failed = 1;
-+ }
-
-+ if (!failed)
-+ break;
-
- #ifdef WITH_AUDIT
- {
-@@ -718,11 +710,13 @@
- }
- #endif /* WITH_AUDIT */
-
-- fprintf (stderr, "\nLogin incorrect\n");
-- pam_end (pamh, retcode);
-- exit (0);
-+ fprintf(stderr,"\nLogin incorrect\n");
-+
-+ /* Let's give it another go around */
-+ pam_set_item(pamh,PAM_USER,NULL);
- }
-
-+ /* We don't get here unless they were authenticated above */
- retcode = pam_acct_mgmt (pamh, 0);
-
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
More information about the Pkg-shadow-commits
mailing list