From 07e2aca8d4c90616fabc99f5abff71b423fad6b7 Mon Sep 17 00:00:00 2001 From: Charl Botha Date: Sat, 14 Jul 2001 20:50:21 +0000 Subject: Integrated patch for 2 second delay at incorrect password. Fixed minor build warnings (added _BSD_SOURCE define). --- Makefile | 3 ++- README | 11 ++++++++--- changelog | 9 ++++++++- pam_pwdfile.c | 17 +++++++++++++++-- 4 files changed, 33 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index c0e2805..785998b 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# $Id: Makefile,v 1.2 2001-04-17 21:16:12 cpbotha Exp $ +# $Id: Makefile,v 1.3 2001-07-14 20:50:21 cpbotha Exp $ # # This Makefile controls a build process of $(TITLE) module for # Linux-PAM. You should not modify this Makefile (unless you know @@ -8,6 +8,7 @@ include ../../Make.Rules TITLE=pam_pwdfile +CFLAGS += -D_BSD_SOURCE MODULE_SIMPLE_EXTRALIBS = -lcrypt diff --git a/README b/README index 7a366dd..0bce847 100644 --- a/README +++ b/README @@ -1,8 +1,8 @@ README for pam_pwdfile PAM module - Charl P. Botha -$Id: README,v 1.7 2001-06-15 21:24:30 cpbotha Exp $ +$Id: README,v 1.8 2001-07-14 20:50:21 cpbotha Exp $ --------------------------------------------------------------------------- -This is version 0.9 of pam_pwdfile. +This is version 0.95 of pam_pwdfile. This pam module can be used for the authentication service only, in cases where one wants to use a different set of passwords than those in the main @@ -18,7 +18,7 @@ account required /lib/security/pam_pwdb.so At the moment the only parameters that pam_pwdfile.so parses for is "pwdfile", followed by the name of the ASCII password database, as in the above example. Also, thanks to Jacob Schroeder , -pam_pwdfile now supports password file locking. Adding an "flock" parameter +pam_pwdfile now supports password file locking. Adding a "flock" parameter activates this feature: pam_pwdfile uses and honours flock() file locking on the specified password file. Specifying "noflock" or no flock-type parameter at all deactivates this feature. @@ -26,6 +26,11 @@ parameter at all deactivates this feature. Example: auth required /lib/security/pam_pwdfile.so pwdfile /etc/blah.passwd flock +Like other PAM modules, pam_pwdfile causes a 2 second delay when an +incorrect password is supplied. This is too discourage brute force testing; +however, this behaviour can be disabled with a "nodelay" parameter. Thanks +to Ethan Benson for this patch. + The ASCII password file is simply a list of lines, each looking like this: username:crypted_passwd[13] in the case of vanilla crypted passwords and username:crypted_passwd[34] in the case of MD5 crypted passwords. The diff --git a/changelog b/changelog index cd1834d..1f01ecd 100644 --- a/changelog +++ b/changelog @@ -1,7 +1,14 @@ changelog for pam_pwdfile PAM module - Charl P. Botha -$Id: changelog,v 1.10 2001-06-15 21:30:16 cpbotha Exp $ +$Id: changelog,v 1.11 2001-07-14 20:50:21 cpbotha Exp $ --------------------------------------------------------------------------- +0.95 : Sat Jul 14 22:38:16 CEST 2001 + +* added features.h, _BSD_SOURCE now defined by Makefile (for vsyslog a.o.) +* integrated patch by Ethan Benson that enables a two + second PAM delay when an incorrect password is supplied. +* yes, if this version floats for long enough, we can do the 1.0 thing. + 0.9: Fri Jun 15 23:23:31 CEST 2001 * integrated patch by Stephen Darragh to fix problems with diff --git a/pam_pwdfile.c b/pam_pwdfile.c index ae58083..5a7f580 100644 --- a/pam_pwdfile.c +++ b/pam_pwdfile.c @@ -1,12 +1,12 @@ /* pam_pwdfile.c copyright 1999-2001 by Charl P. Botha * - * $Id: pam_pwdfile.c,v 1.14 2001-06-15 21:31:46 cpbotha Exp $ + * $Id: pam_pwdfile.c,v 1.15 2001-07-14 20:50:21 cpbotha Exp $ * * pam authentication module that can be pointed at any username/crypted * text file so that pam using application can use an alternate set of * passwords than specified in system password database * - * version 0.9 + * version 0.95 * * Copyright (c) Charl P. Botha, 1999-2001. All rights reserved * @@ -42,6 +42,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include #include #include #include @@ -64,6 +65,7 @@ extern char *crypt(const char *key, const char *salt); #define PWDF_PARAM "pwdfile" #define FLOCK_PARAM "flock" +#define NODELAY_PARAM "nodelay" #define PWDFN_LEN 256 #define CRYPTED_DESPWD_LEN 13 #define CRYPTED_MD5PWD_LEN 34 @@ -227,6 +229,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, char salt[12], crypted_password[CRYPTED_MD5PWD_LEN+1]; FILE *pwdfile; int use_flock = 0; + int use_delay = 1; /* we require the pwdfile switch and argument to be present, else we don't work */ /* pcnt is the parameter counter variable for iterating through argv */ @@ -253,9 +256,19 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, } else if (strcmp(argv[pcnt],"no" FLOCK_PARAM)==0) { /* or a "noflock" parameter */ use_flock = 0; + } else if (strcmp(argv[pcnt],NODELAY_PARAM)==0) { + /* no delay on authentication failure */ + use_delay = 0; } } while (++pcnt < argc); + +#ifdef HAVE_PAM_FAIL_DELAY + if (use_delay) { + D(("setting delay")); + (void) pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ + } +#endif /* for some or other reason, the password file wasn't specified */ if (!pwdfilename_found) { -- cgit v1.2.3