+ man_MANS = pam_faillock.8 faillock.8 faillock.conf.8

+ XMLS = README.xml pam_faillock.8.xml faillock.8.xml faillock.conf.8.xml

+ secureconf_DATA = faillock.conf

+ 

+ # Configuration for locking the user after multiple failed

+ # authentication attempts.

+ #

+ # The directory where the user files with the failure records are kept.

+ # The default is /var/run/faillock.

+ # dir = /var/run/faillock

+ #

+ # Will log the user name into the system log if the user is not found.

+ # Enabled if option is present.

+ # audit

+ #

+ # Don't print informative messages.

+ # Enabled if option is present.

+ # silent

+ #

+ # Don't log informative messages via syslog.

+ # Enabled if option is present.

+ # no_log_info

+ #

+ # Deny access if the number of consecutive authentication failures

+ # for this user during the recent interval exceeds n tries.

+ # The default is 3.

+ # deny = 3

+ #

+ # The length of the interval during which the consecutive

+ # authentication failures must happen for the user account

+ # lock out is <replaceable>n</replaceable> seconds.

+ # The default is 900 (15 minutes).

+ # fail_interval = 900

+ #

+ # The access will be reenabled after n seconds after the lock out.

+ # The value 0 has the same meaning as value `never` - the access

+ # will not be reenabled without resetting the faillock

+ # entries by the `faillock` command.

+ # The default is 600 (10 minutes).

+ # unlock_time = 600

+ #

+ # Root account can become locked as well as regular accounts.

+ # Enabled if option is present.

+ # even_deny_root

+ #

+ # This option implies the `even_deny_root` option.

+ # Allow access after n seconds to root account after the

+ # account is locked. In case the option is not specified

+ # the value is the same as of the `unlock_time` option.

+ # root_unlock_time = 900

+ #

+ # If a group name is specified with this option, members

+ # of the group will be handled by this module the same as

+ # the root account (the options `even_deny_root>` and

+ # `root_unlock_time` will apply to them.

+ # By default, the option is not set.

+ # admin_group = <admin_group_name>

+ <?xml version="1.0" encoding='UTF-8'?>

+ <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"

+ 	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">

+ 

+ <refentry id="faillock.conf">

+ 

+   <refmeta>

+     <refentrytitle>faillock.conf</refentrytitle>

+     <manvolnum>8</manvolnum>

+     <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>

+   </refmeta>

+ 

+   <refnamediv id="faillock.conf-name">

+     <refname>faillock.conf</refname>

+     <refpurpose>pam_faillock configuration file</refpurpose>

+   </refnamediv>

+ 

+   <refsect1 id="faillock.conf-description">

+ 

+     <title>DESCRIPTION</title>

+     <para>

+        <emphasis remap='B'>faillock.conf</emphasis> provides a way to configure the

+        default settings for locking the user after multiple failed authentication attempts.

+        This file is read by the <emphasis>pam_faillock</emphasis> module and is the

+        preferred method over configuring <emphasis>pam_faillock</emphasis> directly.

+     </para>

+     <para>

+        The file has a very simple <emphasis>name = value</emphasis> format with possible comments

+        starting with <emphasis>#</emphasis> character. The whitespace at the beginning of line, end

+        of line, and around the <emphasis>=</emphasis> sign is ignored.

+     </para>

+   </refsect1>

+ 

+   <refsect1 id="faillock.conf-options">

+ 

+     <title>OPTIONS</title>

+          <variablelist>

+             <varlistentry>

+               <term>

+                 <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>

+               </term>

+               <listitem>

+                 <para>

+                   The directory where the user files with the failure records are kept. The

+                   default is <filename>/var/run/faillock</filename>.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>audit</option>

+               </term>

+               <listitem>

+                 <para>

+                   Will log the user name into the system log if the user is not found.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>silent</option>

+               </term>

+               <listitem>

+                 <para>

+                   Don't print informative messages. This option is implicit

+                   in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>

+                   functions.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>no_log_info</option>

+               </term>

+               <listitem>

+                 <para>

+                   Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>deny=<replaceable>n</replaceable></option>

+               </term>

+               <listitem>

+                 <para>

+                   Deny access if the number of consecutive authentication failures

+                   for this user during the recent interval exceeds

+                   <replaceable>n</replaceable>. The default is 3.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>fail_interval=<replaceable>n</replaceable></option>

+               </term>

+               <listitem>

+                 <para>

+                   The length of the interval during which the consecutive

+                   authentication failures must happen for the user account

+                   lock out is <replaceable>n</replaceable> seconds.

+                   The default is 900 (15 minutes).

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>unlock_time=<replaceable>n</replaceable></option>

+               </term>

+               <listitem>

+                 <para>

+                   The access will be reenabled after

+                   <replaceable>n</replaceable> seconds after the lock out.

+                   The value 0 has the same meaning as value

+                   <emphasis>never</emphasis> - the access

+                   will not be reenabled without resetting the faillock

+                   entries by the <citerefentry><refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum></citerefentry> command.

+                   The default is 600 (10 minutes).

+                 </para>

+                 <para>

+                   Note that the default directory that <emphasis>pam_faillock</emphasis>

+                   uses is usually cleared on system boot so the access will be also reenabled

+                   after system reboot. If that is undesirable a different tally directory

+                   must be set with the <option>dir</option> option.

+                 </para>

+                 <para>

+                   Also note that it is usually undesirable to permanently lock

+                   out the users as they can become easily a target of denial of service

+                   attack unless the usernames are random and kept secret to potential

+                   attackers.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>even_deny_root</option>

+               </term>

+               <listitem>

+                 <para>

+                   Root account can become locked as well as regular accounts.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>root_unlock_time=<replaceable>n</replaceable></option>

+               </term>

+               <listitem>

+                 <para>

+                   This option implies <option>even_deny_root</option> option.

+                   Allow access after <replaceable>n</replaceable> seconds

+                   to root account after the account is locked. In case the

+                   option is not specified the value is the same as of the

+                   <option>unlock_time</option> option.

+                 </para>

+               </listitem>

+             </varlistentry>

+             <varlistentry>

+               <term>

+                 <option>admin_group=<replaceable>name</replaceable></option>

+               </term>

+               <listitem>

+                 <para>

+                   If a group name is specified with this option, members

+                   of the group will be handled by this module the same as

+                   the root account (the options <option>even_deny_root</option>

+                   and <option>root_unlock_time</option> will apply to them.

+                   By default the option is not set.

+                 </para>

+               </listitem>

+             </varlistentry>

+         </variablelist>

+   </refsect1>

+ 

+   <refsect1 id='faillock.conf-examples'>

+     <title>EXAMPLES</title>

+     <para>

+       /etc/security/faillock.conf file example:

+     </para>

+     <programlisting>

+ deny=4

+ even_deny_root

+ unlock_time=1200

+     </programlisting>

+   </refsect1>

+ 

+   <refsect1 id="faillock.conf-files">

+     <title>FILES</title>

+     <variablelist>

+       <varlistentry>

+         <term><filename>/etc/security/faillock.conf</filename></term>

+         <listitem>

+           <para>the config file for custom options</para>

+         </listitem>

+       </varlistentry>

+     </variablelist>

+   </refsect1>

+ 

+   <refsect1 id='faillock.conf-see_also'>

+     <title>SEE ALSO</title>

+     <para>

+       <citerefentry>

+         <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>

+       </citerefentry>,

+       <citerefentry>

+         <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>

+       </citerefentry>,

+       <citerefentry>

+         <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>

+       </citerefentry>,

+       <citerefentry>

+         <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>

+       </citerefentry>,

+       <citerefentry>

+         <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>

+       </citerefentry>

+     </para>

+   </refsect1>

+ 

+   <refsect1 id='faillock.conf-author'>

+     <title>AUTHOR</title>

+       <para>

+         pam_faillock was written by Tomas Mraz. The support for faillock.conf was written by Brian Ward.

+       </para>

+   </refsect1>

+ 

+ </refentry>

+ #define FAILLOCK_DEFAULT_CONF "/etc/security/faillock.conf"

+         <para>

+           Options configured on the module command line is not recommend, and

+           <emphasis>/etc/security/faillock.conf</emphasis> should be used instead.

+         </para>

+       Options configured on the module command line is not recommend, and

+       <emphasis>/etc/security/faillock.conf</emphasis> should be used instead.

+     <para>

+       <option>silent</option> option specified in <filename>/etc/security/faillock.conf</filename>

+       or with <emphasis>requisite</emphasis> control field leaks an information about

+       existence or non-existence of an user account in the system because

+     <para>

+       /etc/security/faillock.conf file example:

+     </para>

+     <programlisting>

+ deny=4

+ even_deny_root

+ unlock_time=1200

+     </programlisting>

+     <para>

+       /etc/pam.d/config file example:

+     </para>

+ # optionally call: auth requisite pam_faillock.so preauth

+ auth     [default=die]  pam_faillock.so authfail

+ auth     sufficient     pam_faillock.so authsucc

+ auth     required       pam_faillock.so preauth

+ # on locked accounts

+ auth     [default=die]  pam_faillock.so authfail

+       <varlistentry>

+         <term><filename>/etc/security/faillock.conf</filename></term>

+         <listitem>

+           <para>the config file for pam_faillock options</para>

+         </listitem>

+       </varlistentry>

+         <refentrytitle>faillock.conf</refentrytitle><manvolnum>8</manvolnum>

+       </citerefentry>,

+       <citerefentry>

+ #include <ctype.h>

+ #define FAILLOCK_CONF_MAX_LINELEN 1023

+ #define FAILLOCK_ERROR_CONF_OPEN -3

+ #define FAILLOCK_ERROR_CONF_MALFORMED -4

+ 	const char *conf;

+ int read_config_file(

+ 	pam_handle_t *pamh,

+ 	struct options *opts,

+ 	const char *cfgfile

+ );

+ 

+ void set_conf_opt(

+ 	pam_handle_t *pamh,

+ 	struct options *opts,

+ 	const char *name,

+ 	const char *value

+ );

+ 

+ 	int rv;

+ 	opts->conf = FAILLOCK_DEFAULT_CONF;

+ 	if ((rv=read_config_file(pamh, opts, opts->conf)) != PAM_SUCCESS) {

+ 		pam_syslog(pamh, LOG_ERR,

+ 					"Error opening conf file. Using defaults.");

+ 	}

+ 

+ /* parse a single configuration file */

+ int

+ read_config_file(pam_handle_t *pamh, struct options *opts, const char *cfgfile)

+ {

+ 	FILE *f;

+ 	char linebuf[FAILLOCK_CONF_MAX_LINELEN+1];

+ 

+ 	f = fopen(cfgfile, "r");

+ 	if (f == NULL) {

+ 		/* ignore non-existent default config file */

+ 		if (errno == ENOENT && strcmp(cfgfile, FAILLOCK_DEFAULT_CONF) == 0)

+ 			return 0;

+ 		return FAILLOCK_ERROR_CONF_OPEN;

+ 	}

+ 

+ 	while (fgets(linebuf, sizeof(linebuf), f) != NULL) {

+ 		size_t len;

+ 		char *ptr;

+ 		char *name;

+ 		int eq;

+ 

+ 		len = strlen(linebuf);

+ 		/* len cannot be 0 unless there is a bug in fgets */

+ 		if (len && linebuf[len - 1] != '\n' && !feof(f)) {

+ 			(void) fclose(f);

+ 			return FAILLOCK_ERROR_CONF_MALFORMED;

+ 		}

+ 

+ 		if ((ptr=strchr(linebuf, '#')) != NULL) {

+ 			*ptr = '\0';

+ 		} else {

+ 			ptr = linebuf + len;

+ 		}

+ 

+ 		/* drop terminating whitespace including the \n */

+ 		while (ptr > linebuf) {

+ 			if (!isspace(*(ptr-1))) {

+ 				*ptr = '\0';

+ 				break;

+ 			}

+ 			--ptr;

+ 		}

+ 

+ 		/* skip initial whitespace */

+ 		for (ptr = linebuf; isspace(*ptr); ptr++);

+ 		if (*ptr == '\0')

+ 			continue;

+ 

+ 		/* grab the key name */

+ 		eq = 0;

+ 		name = ptr;

+ 		while (*ptr != '\0') {

+ 			if (isspace(*ptr) || *ptr == '=') {

+ 				eq = *ptr == '=';

+ 				*ptr = '\0';

+ 				++ptr;

+ 				break;

+ 			}

+ 			++ptr;

+ 		}

+ 

+ 		/* grab the key value */

+ 		while (*ptr != '\0') {

+ 			if (*ptr != '=' || eq) {

+ 				if (!isspace(*ptr)) {

+ 					break;

+ 				}

+ 			} else {

+ 				eq = 1;

+ 			}

+ 			++ptr;

+ 		}

+ 

+ 		/* set the key:value pair on opts */

+ 		set_conf_opt(pamh, opts, name, ptr);

+ 	}

+ 

+ 	(void)fclose(f);

+ 	return PAM_SUCCESS;

+ }

+ 

+ void set_conf_opt(pam_handle_t *pamh, struct options *opts, const char *name, const char *value)

+ {

+ 	if (strncmp(name, "dir", 3) == 0) {

+ 		if (value[0] != '/') {

+ 			pam_syslog(pamh, LOG_ERR,

+ 				"Tally directory is not absolute path (%s); keeping default", value);

+ 		} else {

+ 			opts->dir = value;

+ 		}

+ 	}

+ 	else if (strncmp(name, "deny", 4) == 0) {

+ 		if (sscanf(value, "%hu", &opts->deny) != 1) {

+ 			pam_syslog(pamh, LOG_ERR,

+ 				"Bad number supplied for deny argument");

+ 		}

+ 	}

+ 	else if (strncmp(name, "fail_interval", 13) == 0) {

+ 		unsigned int temp;

+ 		if (sscanf(value, "%u", &temp) != 1 ||

+ 			temp > MAX_TIME_INTERVAL) {

+ 			pam_syslog(pamh, LOG_ERR,

+ 				"Bad number supplied for fail_interval argument");

+ 		} else {

+ 			opts->fail_interval = temp;

+ 		}

+ 	}

+ 	else if (strncmp(name, "unlock_time", 11) == 0) {

+ 		unsigned int temp;

+ 

+ 		if (strcmp(value, "never") == 0) {

+ 			opts->unlock_time = 0;

+ 		}

+ 		else if (sscanf(value, "%u", &temp) != 1 ||

+ 			temp > MAX_TIME_INTERVAL) {

+ 			pam_syslog(pamh, LOG_ERR,

+ 				"Bad number supplied for unlock_time argument");

+ 		}

+ 		else {

+ 			opts->unlock_time = temp;

+ 		}

+ 	}

+ 	else if (strncmp(name, "root_unlock_time", 16) == 0) {

+ 		unsigned int temp;

+ 

+ 		if (strcmp(value, "never") == 0) {

+ 			opts->root_unlock_time = 0;

+ 		}

+ 		else if (sscanf(value, "%u", &temp) != 1 ||

+ 			temp > MAX_TIME_INTERVAL) {

+ 			pam_syslog(pamh, LOG_ERR,

+ 				"Bad number supplied for root_unlock_time argument");

+ 		} else {

+ 			opts->root_unlock_time = temp;

+ 		}

+ 	}

+ 	else if (strncmp(name, "admin_group", 11) == 0) {

+ 		opts->admin_group = value;

+ 	}

+ 	else if (strcmp(name, "even_deny_root") == 0) {

+ 		opts->flags |= FAILLOCK_FLAG_DENY_ROOT;

+ 	}

+ 	else if (strcmp(name, "audit") == 0) {

+ 		opts->flags |= FAILLOCK_FLAG_AUDIT;

+ 	}

+ 	else if (strcmp(name, "silent") == 0) {

+ 		opts->flags |= FAILLOCK_FLAG_SILENT;

+ 	}

+ 	else if (strcmp(name, "no_log_info") == 0) {

+ 		opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;

+ 	}

+ 	else {

+ 		pam_syslog(pamh, LOG_ERR, "Unknown option: %s", name);

+ 	}

+ }

+