diff options
| -rw-r--r-- | Makefile | 3 | ||||
| -rw-r--r-- | README | 11 | ||||
| -rw-r--r-- | changelog | 9 | ||||
| -rw-r--r-- | pam_pwdfile.c | 17 | 
4 files changed, 33 insertions, 7 deletions
| @@ -1,4 +1,4 @@ -# $Id: Makefile,v 1.2 2001-04-17 21:16:12 cpbotha Exp $ +# $Id: Makefile,v 1.3 2001-07-14 20:50:21 cpbotha Exp $  #  # This Makefile controls a build process of $(TITLE) module for  # Linux-PAM. You should not modify this Makefile (unless you know @@ -8,6 +8,7 @@  include ../../Make.Rules  TITLE=pam_pwdfile +CFLAGS += -D_BSD_SOURCE  MODULE_SIMPLE_EXTRALIBS = -lcrypt @@ -1,8 +1,8 @@  README for pam_pwdfile PAM module - Charl P. Botha <cpbotha@ieee.org> -$Id: README,v 1.7 2001-06-15 21:24:30 cpbotha Exp $ +$Id: README,v 1.8 2001-07-14 20:50:21 cpbotha Exp $  --------------------------------------------------------------------------- -This is version 0.9 of pam_pwdfile. +This is version 0.95 of pam_pwdfile.  This pam module can be used for the authentication service only, in cases  where one wants to use a different set of passwords than those in the main @@ -18,7 +18,7 @@ account    required	/lib/security/pam_pwdb.so  At the moment the only parameters that pam_pwdfile.so parses for is  "pwdfile", followed by the name of the ASCII password database, as in the  above example.  Also, thanks to Jacob Schroeder <jacob@quantec.de>, -pam_pwdfile now supports password file locking.  Adding an "flock" parameter +pam_pwdfile now supports password file locking.  Adding a "flock" parameter  activates this feature: pam_pwdfile uses and honours flock() file locking on  the specified password file.  Specifying "noflock" or no flock-type  parameter at all deactivates this feature. @@ -26,6 +26,11 @@ parameter at all deactivates this feature.  Example:  auth  required /lib/security/pam_pwdfile.so pwdfile /etc/blah.passwd flock +Like other PAM modules, pam_pwdfile causes a 2 second delay when an +incorrect password is supplied.  This is too discourage brute force testing; +however, this behaviour can be disabled with a "nodelay" parameter.  Thanks +to Ethan Benson for this patch. +  The ASCII password file is simply a list of lines, each looking like this:  username:crypted_passwd[13] in the case of vanilla crypted passwords and  username:crypted_passwd[34] in the case of MD5 crypted passwords.  The @@ -1,7 +1,14 @@  changelog for pam_pwdfile PAM module - Charl P. Botha <cpbotha@ieee.org> -$Id: changelog,v 1.10 2001-06-15 21:30:16 cpbotha Exp $ +$Id: changelog,v 1.11 2001-07-14 20:50:21 cpbotha Exp $  --------------------------------------------------------------------------- +0.95 : Sat Jul 14 22:38:16 CEST 2001 + +* added features.h, _BSD_SOURCE now defined by Makefile (for vsyslog a.o.) +* integrated patch by Ethan Benson <erbenson@alaska.net> that enables a two +  second PAM delay when an incorrect password is supplied. +* yes, if this version floats for long enough, we can do the 1.0 thing. +  0.9: Fri Jun 15 23:23:31 CEST 2001  * integrated patch by Stephen Darragh <srd@it.net.au> to fix problems with diff --git a/pam_pwdfile.c b/pam_pwdfile.c index ae58083..5a7f580 100644 --- a/pam_pwdfile.c +++ b/pam_pwdfile.c @@ -1,12 +1,12 @@  /* pam_pwdfile.c copyright 1999-2001 by Charl P. Botha <cpbotha@ieee.org>   * - * $Id: pam_pwdfile.c,v 1.14 2001-06-15 21:31:46 cpbotha Exp $ + * $Id: pam_pwdfile.c,v 1.15 2001-07-14 20:50:21 cpbotha Exp $   *    * pam authentication module that can be pointed at any username/crypted   * text file so that pam using application can use an alternate set of   * passwords than specified in system password database   *  - * version 0.9 + * version 0.95   *   * Copyright (c) Charl P. Botha, 1999-2001. All rights reserved   * @@ -42,6 +42,7 @@   * OF THE POSSIBILITY OF SUCH DAMAGE.   */ +#include <features.h>  #include <syslog.h>  #include <stdarg.h>  #include <stdio.h> @@ -64,6 +65,7 @@ extern char *crypt(const char *key, const char *salt);  #define PWDF_PARAM "pwdfile"  #define FLOCK_PARAM "flock" +#define NODELAY_PARAM "nodelay"  #define PWDFN_LEN 256  #define CRYPTED_DESPWD_LEN 13  #define CRYPTED_MD5PWD_LEN 34 @@ -227,6 +229,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,     char salt[12], crypted_password[CRYPTED_MD5PWD_LEN+1];     FILE *pwdfile;     int use_flock = 0; +   int use_delay = 1;     /* we require the pwdfile switch and argument to be present, else we don't work */     /* pcnt is the parameter counter variable for iterating through argv */ @@ -253,9 +256,19 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,        } else if (strcmp(argv[pcnt],"no" FLOCK_PARAM)==0) {  	 /* or a "noflock" parameter */  	 use_flock = 0; +      } else if (strcmp(argv[pcnt],NODELAY_PARAM)==0) { +	/* no delay on authentication failure */ +	use_delay = 0;        }     } while (++pcnt < argc); + +#ifdef HAVE_PAM_FAIL_DELAY +   if (use_delay) { +     D(("setting delay")); +     (void) pam_fail_delay(pamh, 2000000);   /* 2 sec delay for on failure */ +   } +#endif     /* for some or other reason, the password file wasn't specified */     if (!pwdfilename_found) { | 
