summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCharl Botha <cpbotha@cpbotha.net>2001-07-14 20:50:21 +0000
committerCharl Botha <cpbotha@cpbotha.net>2001-07-14 20:50:21 +0000
commit07e2aca8d4c90616fabc99f5abff71b423fad6b7 (patch)
tree2b4d94068fd98ca36b1963ea52064d67da8f55f9
parent632939171280f34924cbae6fe9f286bdc8b508eb (diff)
downloadlibpam-pwdfile-07e2aca8d4c90616fabc99f5abff71b423fad6b7.tar.gz
Integrated patch for 2 second delay at incorrect password.v0.95
Fixed minor build warnings (added _BSD_SOURCE define).
-rw-r--r--Makefile3
-rw-r--r--README11
-rw-r--r--changelog9
-rw-r--r--pam_pwdfile.c17
4 files changed, 33 insertions, 7 deletions
diff --git a/Makefile b/Makefile
index c0e2805..785998b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-# $Id: Makefile,v 1.2 2001-04-17 21:16:12 cpbotha Exp $
+# $Id: Makefile,v 1.3 2001-07-14 20:50:21 cpbotha Exp $
#
# This Makefile controls a build process of $(TITLE) module for
# Linux-PAM. You should not modify this Makefile (unless you know
@@ -8,6 +8,7 @@
include ../../Make.Rules
TITLE=pam_pwdfile
+CFLAGS += -D_BSD_SOURCE
MODULE_SIMPLE_EXTRALIBS = -lcrypt
diff --git a/README b/README
index 7a366dd..0bce847 100644
--- a/README
+++ b/README
@@ -1,8 +1,8 @@
README for pam_pwdfile PAM module - Charl P. Botha <cpbotha@ieee.org>
-$Id: README,v 1.7 2001-06-15 21:24:30 cpbotha Exp $
+$Id: README,v 1.8 2001-07-14 20:50:21 cpbotha Exp $
---------------------------------------------------------------------------
-This is version 0.9 of pam_pwdfile.
+This is version 0.95 of pam_pwdfile.
This pam module can be used for the authentication service only, in cases
where one wants to use a different set of passwords than those in the main
@@ -18,7 +18,7 @@ account required /lib/security/pam_pwdb.so
At the moment the only parameters that pam_pwdfile.so parses for is
"pwdfile", followed by the name of the ASCII password database, as in the
above example. Also, thanks to Jacob Schroeder <jacob@quantec.de>,
-pam_pwdfile now supports password file locking. Adding an "flock" parameter
+pam_pwdfile now supports password file locking. Adding a "flock" parameter
activates this feature: pam_pwdfile uses and honours flock() file locking on
the specified password file. Specifying "noflock" or no flock-type
parameter at all deactivates this feature.
@@ -26,6 +26,11 @@ parameter at all deactivates this feature.
Example:
auth required /lib/security/pam_pwdfile.so pwdfile /etc/blah.passwd flock
+Like other PAM modules, pam_pwdfile causes a 2 second delay when an
+incorrect password is supplied. This is too discourage brute force testing;
+however, this behaviour can be disabled with a "nodelay" parameter. Thanks
+to Ethan Benson for this patch.
+
The ASCII password file is simply a list of lines, each looking like this:
username:crypted_passwd[13] in the case of vanilla crypted passwords and
username:crypted_passwd[34] in the case of MD5 crypted passwords. The
diff --git a/changelog b/changelog
index cd1834d..1f01ecd 100644
--- a/changelog
+++ b/changelog
@@ -1,7 +1,14 @@
changelog for pam_pwdfile PAM module - Charl P. Botha <cpbotha@ieee.org>
-$Id: changelog,v 1.10 2001-06-15 21:30:16 cpbotha Exp $
+$Id: changelog,v 1.11 2001-07-14 20:50:21 cpbotha Exp $
---------------------------------------------------------------------------
+0.95 : Sat Jul 14 22:38:16 CEST 2001
+
+* added features.h, _BSD_SOURCE now defined by Makefile (for vsyslog a.o.)
+* integrated patch by Ethan Benson <erbenson@alaska.net> that enables a two
+ second PAM delay when an incorrect password is supplied.
+* yes, if this version floats for long enough, we can do the 1.0 thing.
+
0.9: Fri Jun 15 23:23:31 CEST 2001
* integrated patch by Stephen Darragh <srd@it.net.au> to fix problems with
diff --git a/pam_pwdfile.c b/pam_pwdfile.c
index ae58083..5a7f580 100644
--- a/pam_pwdfile.c
+++ b/pam_pwdfile.c
@@ -1,12 +1,12 @@
/* pam_pwdfile.c copyright 1999-2001 by Charl P. Botha <cpbotha@ieee.org>
*
- * $Id: pam_pwdfile.c,v 1.14 2001-06-15 21:31:46 cpbotha Exp $
+ * $Id: pam_pwdfile.c,v 1.15 2001-07-14 20:50:21 cpbotha Exp $
*
* pam authentication module that can be pointed at any username/crypted
* text file so that pam using application can use an alternate set of
* passwords than specified in system password database
*
- * version 0.9
+ * version 0.95
*
* Copyright (c) Charl P. Botha, 1999-2001. All rights reserved
*
@@ -42,6 +42,7 @@
* OF THE POSSIBILITY OF SUCH DAMAGE.
*/
+#include <features.h>
#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
@@ -64,6 +65,7 @@ extern char *crypt(const char *key, const char *salt);
#define PWDF_PARAM "pwdfile"
#define FLOCK_PARAM "flock"
+#define NODELAY_PARAM "nodelay"
#define PWDFN_LEN 256
#define CRYPTED_DESPWD_LEN 13
#define CRYPTED_MD5PWD_LEN 34
@@ -227,6 +229,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
char salt[12], crypted_password[CRYPTED_MD5PWD_LEN+1];
FILE *pwdfile;
int use_flock = 0;
+ int use_delay = 1;
/* we require the pwdfile switch and argument to be present, else we don't work */
/* pcnt is the parameter counter variable for iterating through argv */
@@ -253,9 +256,19 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
} else if (strcmp(argv[pcnt],"no" FLOCK_PARAM)==0) {
/* or a "noflock" parameter */
use_flock = 0;
+ } else if (strcmp(argv[pcnt],NODELAY_PARAM)==0) {
+ /* no delay on authentication failure */
+ use_delay = 0;
}
} while (++pcnt < argc);
+
+#ifdef HAVE_PAM_FAIL_DELAY
+ if (use_delay) {
+ D(("setting delay"));
+ (void) pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
+ }
+#endif
/* for some or other reason, the password file wasn't specified */
if (!pwdfilename_found) {