1 |
unnilennium |
1.1 |
Patch by Robert Scheck <robert@fedoraproject.org> for pam_abl 0.2.3, changes: |
2 |
|
|
|
3 |
|
|
* pam_abl/pam_abl.c |
4 |
|
|
- Fixed compiler warning "dereferencing type-punned pointer will break |
5 |
|
|
strict-aliasing rules" |
6 |
|
|
|
7 |
|
|
* pam_abl/Makefile |
8 |
|
|
- Always honor $RPM_OPT_FLAGS when available |
9 |
|
|
- Fixed the make warning "jobserver unavailable: using -j1. Add `+' to |
10 |
|
|
parent make rule" |
11 |
|
|
|
12 |
|
|
* pam_abl/tools/Makefile |
13 |
|
|
- Always honor $RPM_OPT_FLAGS when available |
14 |
|
|
|
15 |
|
|
* pam_abl/doc/pam_abl.1 |
16 |
|
|
- Initial version of a pam_abl man page based on the current docs |
17 |
|
|
|
18 |
|
|
* pam_abl/CONFIGURATION |
19 |
|
|
- Initial version of a pam_abl text documentation based on the HTML files |
20 |
|
|
|
21 |
|
|
* pam_abl/conf/system-auth |
22 |
|
|
- Removed use of /lib/security/$ISA, because it will break on any 64 bit |
23 |
|
|
system having /lib64 instead of /lib; should fix sf.net Bug ID #1325837 |
24 |
|
|
|
25 |
|
|
* pam_abl/doc/index.html |
26 |
|
|
- Never ever use /lib/security, will break any 64 bit compatibility |
27 |
|
|
|
28 |
|
|
* pam_abl/QUICKSTART |
29 |
|
|
- Quickstart guide heavily based on README.fedora written by the Fedora |
30 |
|
|
Extras maintainer Alexander Dalloz <alex {%} dalloz {*} de> |
31 |
|
|
|
32 |
|
|
Following patch was sent upstream at Sat, 17 Jun 2006 21:24:50 +0200 and it |
33 |
|
|
was confirmed by the upstream maintainer, that this patch will be added to |
34 |
|
|
the next pam_abl release - but unfortunately nothing happened, yet. |
35 |
|
|
|
36 |
|
|
--- pam_abl/pam_abl.c 2005-10-12 21:22:26.000000000 +0200 |
37 |
|
|
+++ pam_abl/pam_abl.c.rsc 2006-06-17 18:36:44.000000000 +0200 |
38 |
|
|
@@ -168,7 +168,7 @@ |
39 |
|
|
const char *rhost; |
40 |
|
|
int err; |
41 |
|
|
|
42 |
|
|
- if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) { |
43 |
|
|
+ if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **)( const void*) &rhost), PAM_SUCCESS != err) { |
44 |
|
|
log_pam_error(args, err, "getting PAM_RHOST"); |
45 |
|
|
return err; |
46 |
|
|
} |
47 |
|
|
@@ -187,7 +187,7 @@ |
48 |
|
|
if (NULL != args->user_db) { |
49 |
|
|
const char *user; |
50 |
|
|
int err; |
51 |
|
|
- if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) { |
52 |
|
|
+ if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) { |
53 |
|
|
log_pam_error(args, err, "getting PAM_USER"); |
54 |
|
|
return err; |
55 |
|
|
} |
56 |
|
|
@@ -285,7 +285,7 @@ |
57 |
|
|
if (NULL != args->host_db) { |
58 |
|
|
const char *rhost; |
59 |
|
|
int err; |
60 |
|
|
- if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) { |
61 |
|
|
+ if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost), PAM_SUCCESS != err) { |
62 |
|
|
log_pam_error(args, err, "getting PAM_RHOST"); |
63 |
|
|
return err; |
64 |
|
|
} |
65 |
|
|
@@ -316,12 +316,12 @@ |
66 |
|
|
const char *user; |
67 |
|
|
const char *service; |
68 |
|
|
|
69 |
|
|
- if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) { |
70 |
|
|
+ if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) { |
71 |
|
|
log_pam_error(args, err, "getting PAM_USER"); |
72 |
|
|
return err; |
73 |
|
|
} |
74 |
|
|
|
75 |
|
|
- if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service), PAM_SUCCESS != err) { |
76 |
|
|
+ if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service), PAM_SUCCESS != err) { |
77 |
|
|
log_pam_error(args, err, "getting PAM_SERVICE"); |
78 |
|
|
return err; |
79 |
|
|
} |
80 |
|
|
@@ -374,9 +374,9 @@ |
81 |
|
|
check_attempt(args, &rv); |
82 |
|
|
if (rv) { |
83 |
|
|
const char *rhost, *user, *service; |
84 |
|
|
- if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost ) && |
85 |
|
|
- PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) &user ) && |
86 |
|
|
- PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service)) { |
87 |
|
|
+ if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost ) && |
88 |
|
|
+ PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user ) && |
89 |
|
|
+ PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service)) { |
90 |
|
|
log_info(args, "Blocking access from %s to service %s, user %s", rhost, service, user); |
91 |
|
|
} |
92 |
|
|
return PAM_AUTH_ERR; |
93 |
|
|
--- pam_abl/Makefile 2005-10-12 21:22:25.000000000 +0200 |
94 |
|
|
+++ pam_abl/Makefile.rsc 2006-06-17 18:45:43.000000000 +0200 |
95 |
|
|
@@ -1,7 +1,7 @@ |
96 |
|
|
# Makefile |
97 |
|
|
# $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $ |
98 |
|
|
|
99 |
|
|
-CFLAGS=-Wall -fPIC |
100 |
|
|
+CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS) |
101 |
|
|
PAMDIR=/lib/security |
102 |
|
|
CONFDIR=/etc/security |
103 |
|
|
DBDIR=/var/lib/abl |
104 |
|
|
@@ -11,26 +11,26 @@ |
105 |
|
|
SUBDIRS=tools |
106 |
|
|
|
107 |
|
|
all : $(MODULE) |
108 |
|
|
- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done |
109 |
|
|
+ for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done |
110 |
|
|
|
111 |
|
|
$(MODULE) : $(OBJ) |
112 |
|
|
ld -x --shared $(LIBS) -o $@ $^ |
113 |
|
|
|
114 |
|
|
clean : |
115 |
|
|
rm -f $(MODULE) $(OBJ) |
116 |
|
|
- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done |
117 |
|
|
+ for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done |
118 |
|
|
|
119 |
|
|
install : $(MODULE) |
120 |
|
|
install --mode=755 --strip $(MODULE) $(PAMDIR) |
121 |
|
|
#install --mode=644 conf/pam_abl.conf $(CONFDIR) |
122 |
|
|
install -d --mode=755 $(DBDIR) |
123 |
|
|
- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done |
124 |
|
|
+ for d in t $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done |
125 |
|
|
|
126 |
|
|
depend : |
127 |
|
|
cc -MM *.c > deps |
128 |
|
|
- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done |
129 |
|
|
+ for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done |
130 |
|
|
|
131 |
|
|
test : |
132 |
|
|
- cd t && make && cd .. |
133 |
|
|
+ cd t && $(MAKE) && cd .. |
134 |
|
|
|
135 |
|
|
include deps |
136 |
|
|
--- pam_abl/tools/Makefile 2005-10-12 21:22:27.000000000 +0200 |
137 |
|
|
+++ pam_abl/tools/Makefile.rsc 2006-06-17 19:15:25.000000000 +0200 |
138 |
|
|
@@ -1,6 +1,6 @@ |
139 |
|
|
# Makefile |
140 |
|
|
|
141 |
|
|
-CFLAGS=-Wall |
142 |
|
|
+CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS) |
143 |
|
|
LIBS=-ldb -lpthread |
144 |
|
|
TARGET=pam_abl |
145 |
|
|
OBJ=log.o config.o rule.o pam_abl.o |
146 |
|
|
--- pam_abl/doc/pam_abl.1 1970-01-01 01:00:00.000000000 +0100 |
147 |
|
|
+++ pam_abl/doc/pam_abl.1.rsc 2006-06-17 20:02:44.000000000 +0200 |
148 |
|
|
@@ -0,0 +1,52 @@ |
149 |
|
|
+.TH pam_abl 1 "Oct 13, 2005" |
150 |
|
|
+.LO 1 |
151 |
|
|
+.SH NAME |
152 |
|
|
+pam_abl - query or purge the databases used by the pam_abl module |
153 |
|
|
+.SH OVERVIEW |
154 |
|
|
+\fBpam_abl\fR [ \fIOPTIONS \fR] [ \fICONFIG \fR] |
155 |
|
|
+.SH DESCRIPTION |
156 |
|
|
+Performs maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (/etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. |
157 |
|
|
+.SH OPTIONS |
158 |
|
|
+.TP |
159 |
|
|
+.B -h, --help |
160 |
|
|
+See a help message |
161 |
|
|
+.TP |
162 |
|
|
+.B -p, --purge |
163 |
|
|
+Purge databases according to purge rules in config |
164 |
|
|
+.TP |
165 |
|
|
+.B -r, --relative |
166 |
|
|
+Display times relative to now otherwise absolute times will be displayed |
167 |
|
|
+.TP |
168 |
|
|
+.B -v, --verbose |
169 |
|
|
+Verbose output |
170 |
|
|
+.TP |
171 |
|
|
+.B --okuser=USER |
172 |
|
|
+Unblock USER |
173 |
|
|
+.TP |
174 |
|
|
+.B --okhost=HOST |
175 |
|
|
+Unblock HOST |
176 |
|
|
+.SH EXAMPLES |
177 |
|
|
+.TP |
178 |
|
|
+Obtain a list of failed hosts and users: |
179 |
|
|
+$ pam_abl |
180 |
|
|
+.TP |
181 |
|
|
+Obtain a full list of failures listing times relative to now: |
182 |
|
|
+$ pam_abl -rv |
183 |
|
|
+.br |
184 |
|
|
+$ pam_abl --relative --verbose |
185 |
|
|
+.TP |
186 |
|
|
+Purge old data: |
187 |
|
|
+$ pam_abl -p |
188 |
|
|
+.br |
189 |
|
|
+$ pam_abl --purge |
190 |
|
|
+.TP |
191 |
|
|
+Unblock all example.com, somewhere.com hosts: |
192 |
|
|
+$ pam_abl -v --okhost=*.example.com --okhost=*.somewhere.com |
193 |
|
|
+.SH AUTHOR |
194 |
|
|
+Andy Armstrong <andy@hexten.net> |
195 |
|
|
+.SH SEE ALSO |
196 |
|
|
+/usr/share/doc/pam_abl-*/CONFIGURATION |
197 |
|
|
+.SH REPORT BUGS |
198 |
|
|
+Please report bugs in English language to the author. |
199 |
|
|
+.SH COPYRIGHT |
200 |
|
|
+pam_abl is licensed under GNU General Public License, the complete license you can get at: http://www.gnu.org/copyleft/gpl.html |
201 |
|
|
--- pam_abl/CONFIGURATION 1970-01-01 01:00:00.000000000 +0100 |
202 |
|
|
+++ pam_abl/CONFIGURATION.rsc 2006-06-17 20:02:44.000000000 +0200 |
203 |
|
|
@@ -0,0 +1,251 @@ |
204 |
|
|
+The Auto Blacklist Module: pam_abl |
205 |
|
|
+ |
206 |
|
|
+Synopsis |
207 |
|
|
+ |
208 |
|
|
+Module name: |
209 |
|
|
+ pam_abl |
210 |
|
|
+Author: |
211 |
|
|
+ Andy Armstrong <andy@hexten.net> |
212 |
|
|
+Maintainer: |
213 |
|
|
+ Andy Armstrong <andy@hexten.net> |
214 |
|
|
+Management groups provided: |
215 |
|
|
+ auth |
216 |
|
|
+Cryptographically sensitive: |
217 |
|
|
+ No. |
218 |
|
|
+Security rating: |
219 |
|
|
+Clean code base: |
220 |
|
|
+ Clean. |
221 |
|
|
+System dependencies: |
222 |
|
|
+ Requires Berkeley DB (tested with 4.3.21 and 4.2.50). |
223 |
|
|
+ Requires a configuration file (by convention /etc/security/pam_abl.conf) |
224 |
|
|
+Network aware: |
225 |
|
|
+ No. |
226 |
|
|
+ |
227 |
|
|
+Overview of module |
228 |
|
|
+ |
229 |
|
|
+Provides auto blacklisting of hosts and users responsible for repeated failed |
230 |
|
|
+authentication attempts. Generally configured so that blacklisted users still |
231 |
|
|
+see normal login prompts but are guaranteed to fail to authenticate. |
232 |
|
|
+ |
233 |
|
|
+This functionality is only available to services which call PAM as root. If |
234 |
|
|
+pam_abl is called for uid != 0 it will silently succeed. |
235 |
|
|
+ |
236 |
|
|
+Auth component |
237 |
|
|
+ |
238 |
|
|
+Recognised arguments: |
239 |
|
|
+ |
240 |
|
|
+ Name Arguments Description |
241 |
|
|
+ debug None Enable debug output to syslog. |
242 |
|
|
+ expose_account None Ignored |
243 |
|
|
+ no_warn None Disable warnings which are otherwise output |
244 |
|
|
+ to syslog. |
245 |
|
|
+ try_first_pass None Ignored |
246 |
|
|
+ use_first_pass None Ignored |
247 |
|
|
+ use_mapped_pass None Ignored |
248 |
|
|
+ The configuration file contains additional |
249 |
|
|
+ arguments. In order for the pam_abl command |
250 |
|
|
+ Path to the line tool to work correctly most of the |
251 |
|
|
+ config configuration configuration should be placed in the config |
252 |
|
|
+ file. file rather than being provided by arguments. |
253 |
|
|
+ The format of the config file is described |
254 |
|
|
+ below. |
255 |
|
|
+ Path to host Path to the Berkeley DB which is used to log |
256 |
|
|
+ host_db database the host responsible for failed |
257 |
|
|
+ file. authentication attempts. |
258 |
|
|
+ Purge time Defines how long failed hosts are retained in |
259 |
|
|
+ host_purge for the host the host database. Defaults to 1 day. |
260 |
|
|
+ database. |
261 |
|
|
+ Rule for host The rule (see below for format) which defines |
262 |
|
|
+ host_rule blacklisting. the conditions under which a failed hosts |
263 |
|
|
+ will be blackisted. |
264 |
|
|
+ Path to user Path to the Berkeley DB which is used to log |
265 |
|
|
+ user_db database the user responsible for failed |
266 |
|
|
+ file. authentication attempts. |
267 |
|
|
+ Purge time Defines how long failed users are retained in |
268 |
|
|
+ user_purge for the user the user database. Defaults to 1 day. |
269 |
|
|
+ database. |
270 |
|
|
+ Rule for user The rule (see below for format) which defines |
271 |
|
|
+ user_rule blacklisting. the conditions under which a failed users |
272 |
|
|
+ will be blackisted. |
273 |
|
|
+ |
274 |
|
|
+Description: |
275 |
|
|
+ |
276 |
|
|
+ Brute force password discovery attacks involve repeated attempts to |
277 |
|
|
+ authenticate against a service using a dictionary of common passwords. |
278 |
|
|
+ While it is desirable to enforce strong passwords for users this is not |
279 |
|
|
+ always possible and in cases where a weak password has been used brute |
280 |
|
|
+ force attacks can be effective. |
281 |
|
|
+ |
282 |
|
|
+ The pam_abl module monitors failed authentication attempts and |
283 |
|
|
+ automatically blacklists those hosts (and accounts) that are responsible |
284 |
|
|
+ for large numbers of failed attempts. Once a host is blacklisted it is |
285 |
|
|
+ guaranteed to fail authentication even if the correct credentials are |
286 |
|
|
+ provided. |
287 |
|
|
+ |
288 |
|
|
+ Blacklisting is triggered when the number of failed authentication attempts |
289 |
|
|
+ in a particular period of time exceeds a predefined limit. Hosts which stop |
290 |
|
|
+ attempting to authenticate will, after a period of time, be un-blacklisted. |
291 |
|
|
+ |
292 |
|
|
+ This functionality is only available to services which call PAM as root. If |
293 |
|
|
+ pam_abl is called for uid != 0 it will silently succeed. If this was not |
294 |
|
|
+ the case it would be possible for a malicious local user to poison the |
295 |
|
|
+ pam_abl data by, for example, discovering the names of the hosts from which |
296 |
|
|
+ root typically logs in and then constructing PAM authentication code to |
297 |
|
|
+ lock out root login attempts from those hosts. |
298 |
|
|
+ |
299 |
|
|
+Usage: |
300 |
|
|
+ |
301 |
|
|
+ Typically pam_abl.so is added to the auth stack as a required module just |
302 |
|
|
+ before whatever modules actually peform authentication. Here's a fragment |
303 |
|
|
+ of the PAM config for a production server that is running pam_abl: |
304 |
|
|
+ |
305 |
|
|
+ auth required pam_env.so |
306 |
|
|
+ auth required pam_abl.so config=/etc/security/pam_abl.conf |
307 |
|
|
+ auth sufficient pam_unix.so try_first_pass nullok |
308 |
|
|
+ auth required pam_deny.so |
309 |
|
|
+ |
310 |
|
|
+ Although all of accepted arguments can be supplied here they will usually |
311 |
|
|
+ be placed in a separate config file and linked to using the config argument |
312 |
|
|
+ as in the above example. The pam_abl command line tool reads the external |
313 |
|
|
+ config file (/etc/security/pam_abl.conf in this case) to find the databases |
314 |
|
|
+ so in order for it work correctly an external config should be used. |
315 |
|
|
+ |
316 |
|
|
+Config file syntax: |
317 |
|
|
+ |
318 |
|
|
+ The config file can contain any arguments that would be supplied via PAM |
319 |
|
|
+ config. In the config file arguments are placed on separate lines. Comments |
320 |
|
|
+ may be included after a '#' and line continuation is possible by placing a |
321 |
|
|
+ back slash at the end of the line to be continued. Here is a sample /etc/ |
322 |
|
|
+ security/pam_abl.conf: |
323 |
|
|
+ |
324 |
|
|
+ # /etc/security/pam_abl.conf |
325 |
|
|
+ debug |
326 |
|
|
+ host_db=/var/lib/abl/hosts.db |
327 |
|
|
+ host_purge=2d |
328 |
|
|
+ host_rule=*:10/1h,30/1d |
329 |
|
|
+ user_db=/var/lib/abl/users.db |
330 |
|
|
+ user_purge=2d |
331 |
|
|
+ user_rule=!root:10/1h,30/1d |
332 |
|
|
+ |
333 |
|
|
+ All of the standard PAM arguments (debug, expose_account, no_warn, |
334 |
|
|
+ try_first_pass, use_first_pass, use_mapped_pass) are accepted; with the |
335 |
|
|
+ exception of debug and no_warn these are ignored. |
336 |
|
|
+ |
337 |
|
|
+ The arguments that are specific to pam_abl are as follows: |
338 |
|
|
+ |
339 |
|
|
+ Specify the name of the databases that will be used to log |
340 |
|
|
+ failed authentication attempts. The host database is used to |
341 |
|
|
+ host_db, log the hostname responsible for a failed auth and the user |
342 |
|
|
+ user_db database is used to log the requested username. If host_db or |
343 |
|
|
+ user_db is omitted the corresponding auto blacklisting will be |
344 |
|
|
+ disabled. |
345 |
|
|
+ Specify the length of time for which failed attempts should be |
346 |
|
|
+ kept in the databases. For rules to work correctly this must be |
347 |
|
|
+ at least as long as the longest period specified in a |
348 |
|
|
+ corresponding rule. You may wish to retain information about |
349 |
|
|
+ failed attempts for longer than this so that the pam_abl |
350 |
|
|
+ command line tool can report information over a longer period |
351 |
|
|
+ host_purge, of time. The format for this item is a number with an optional |
352 |
|
|
+ user_purge multiplier suffix, 's', 'm', 'h' or 'd' which correspond with |
353 |
|
|
+ seconds, minutes, hours and days. To specify seven days for |
354 |
|
|
+ example one would use '7d'. Note that in normal operation |
355 |
|
|
+ pam_abl will only purge the logged data for a particular host |
356 |
|
|
+ or user if it happens to be updating it, i.e. if that host or |
357 |
|
|
+ user makes another failed attempt. To purge all old entries the |
358 |
|
|
+ pam_abl command line tool should be used. |
359 |
|
|
+ These are the rules which determine the circumstances under |
360 |
|
|
+ which accounts are auto-blacklisted. The host_rule is used to |
361 |
|
|
+ host_rule, block access to hosts that are responsible for excessive |
362 |
|
|
+ user_rule authentication failures and the user_rule is used to disable |
363 |
|
|
+ accounts for which there have been excessive authentication |
364 |
|
|
+ failures. The rule syntax is described in full below. |
365 |
|
|
+ |
366 |
|
|
+Rule syntax: |
367 |
|
|
+ |
368 |
|
|
+ Each rule consists of a number of space separated 'user clauses'. A user |
369 |
|
|
+ clause specifies the user (and service) names to match and a set of |
370 |
|
|
+ triggers. A simple example would be |
371 |
|
|
+ |
372 |
|
|
+ *:10/1h |
373 |
|
|
+ |
374 |
|
|
+ which means 'block any user (*) if they are responsible for ten or more |
375 |
|
|
+ failed authentication attempts in the last hour'. In place of the '*' which |
376 |
|
|
+ matches any user a list of usernames can be supplied like this |
377 |
|
|
+ |
378 |
|
|
+ root|dba|admin:10/1h |
379 |
|
|
+ |
380 |
|
|
+ which means 'block the users root, dba and admin if they are responsible |
381 |
|
|
+ for ten or more failed authentication attempts in the last hour'. You can |
382 |
|
|
+ also specify a service name to match against like this |
383 |
|
|
+ |
384 |
|
|
+ root/sshd|dba/*:3/1d |
385 |
|
|
+ |
386 |
|
|
+ which means 'block the users root for service 'sshd' and dba for any |
387 |
|
|
+ service if they are responsible for three or more failed authentication |
388 |
|
|
+ attempts in the last day'. Finally you can specify multiple triggers like |
389 |
|
|
+ this |
390 |
|
|
+ |
391 |
|
|
+ root:10/1h,20/1d |
392 |
|
|
+ |
393 |
|
|
+ which means 'block the user root if they are responsible for ten or more |
394 |
|
|
+ failed attempts in the last hour or twenty or more failed attempts in the |
395 |
|
|
+ last day. |
396 |
|
|
+ |
397 |
|
|
+ Multiple rules can be provided separated by spaces like this |
398 |
|
|
+ |
399 |
|
|
+ *:10/1h root:5/1h,10/1d |
400 |
|
|
+ |
401 |
|
|
+ in which case all rules that match a particular user and service will be |
402 |
|
|
+ checked. The user or host will be blocked if any of the rule triggers |
403 |
|
|
+ matches. The sense of the user matching can be inverted by placing a '!' in |
404 |
|
|
+ front of the rule so that |
405 |
|
|
+ |
406 |
|
|
+ !root:20/1d |
407 |
|
|
+ |
408 |
|
|
+ is a rule which would match for all users apart from root. It is important |
409 |
|
|
+ to treat root as a special case in the user_rule otherwise excessive |
410 |
|
|
+ attempts to authenticate as root will result in the root account being |
411 |
|
|
+ locked out even for valid holders of root credentials. |
412 |
|
|
+ |
413 |
|
|
+ Here is the full syntax for rules: |
414 |
|
|
+ |
415 |
|
|
+ word ::= /[^\s\|\/\*]+/ |
416 |
|
|
+ name ::= word | '*' |
417 |
|
|
+ username ::= name |
418 |
|
|
+ servicename ::= name |
419 |
|
|
+ userservice ::= username |
420 |
|
|
+ | username '/' servicename |
421 |
|
|
+ namelist ::= userservice |
422 |
|
|
+ | userservice '|' namelist |
423 |
|
|
+ userspec ::= namelist |
424 |
|
|
+ | '!' namelist |
425 |
|
|
+ multiplier ::= 's' | 'm' | 'h' | 'd' |
426 |
|
|
+ number ::= /\d+/ |
427 |
|
|
+ period ::= number |
428 |
|
|
+ | number multiplier |
429 |
|
|
+ trigger ::= number '/' period |
430 |
|
|
+ triglist ::= trigger |
431 |
|
|
+ | trigger ',' triglist |
432 |
|
|
+ userclause ::= userspec ':' triglist |
433 |
|
|
+ rule ::= userclause |
434 |
|
|
+ | userclause /\s+/ rule |
435 |
|
|
+ |
436 |
|
|
+Examples/suggested usage: |
437 |
|
|
+ |
438 |
|
|
+ Sample PAM config fragment: |
439 |
|
|
+ |
440 |
|
|
+ auth required pam_env.so |
441 |
|
|
+ auth required pam_abl.so config=/etc/security/pam_abl.conf |
442 |
|
|
+ auth sufficient pam_unix.so try_first_pass nullok |
443 |
|
|
+ auth required pam_deny.so |
444 |
|
|
+ |
445 |
|
|
+ Sample /etc/security/pam_abl.conf: |
446 |
|
|
+ |
447 |
|
|
+ # /etc/security/pam_abl.conf |
448 |
|
|
+ debug |
449 |
|
|
+ host_db=/var/lib/abl/hosts.db |
450 |
|
|
+ host_purge=2d |
451 |
|
|
+ host_rule=*:10/1h,30/1d |
452 |
|
|
+ user_db=/var/lib/abl/users.db |
453 |
|
|
+ user_purge=2d |
454 |
|
|
+ user_rule=!root:10/1h,30/1d |
455 |
|
|
--- pam_abl/conf/system-auth 2006-06-17 20:02:05.000000000 +0200 |
456 |
|
|
+++ pam_abl/conf/system-auth.rsc 2006-06-17 20:07:49.000000000 +0200 |
457 |
|
|
@@ -1,15 +1,14 @@ |
458 |
|
|
#%PAM-1.0 |
459 |
|
|
-auth required /lib/security/$ISA/pam_env.so |
460 |
|
|
-auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf |
461 |
|
|
-auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok |
462 |
|
|
-auth required /lib/security/$ISA/pam_deny.so |
463 |
|
|
+auth required pam_env.so |
464 |
|
|
+auth required pam_abl.so config=/etc/security/pam_abl.conf |
465 |
|
|
+auth sufficient pam_unix.so try_first_pass nullok |
466 |
|
|
+auth required pam_deny.so |
467 |
|
|
|
468 |
|
|
-account required /lib/security/$ISA/pam_unix.so |
469 |
|
|
+account required pam_unix.so |
470 |
|
|
|
471 |
|
|
-password required /lib/security/$ISA/pam_cracklib.so retry=3 type= |
472 |
|
|
-password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow |
473 |
|
|
-password required /lib/security/$ISA/pam_deny.so |
474 |
|
|
+password required pam_cracklib.so try_first_pass retry=3 |
475 |
|
|
+password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow |
476 |
|
|
+password required pam_deny.so |
477 |
|
|
|
478 |
|
|
-session required /lib/security/$ISA/pam_limits.so |
479 |
|
|
-session required /lib/security/$ISA/pam_abl.so |
480 |
|
|
-session required /lib/security/$ISA/pam_unix.so |
481 |
|
|
+session required pam_limits.so |
482 |
|
|
+session required pam_unix.so |
483 |
|
|
--- pam_abl/doc/index.html 2005-10-12 21:22:27.000000000 +0200 |
484 |
|
|
+++ pam_abl/doc/index.html.rsc 2006-06-17 20:23:22.000000000 +0200 |
485 |
|
|
@@ -171,10 +171,10 @@ |
486 |
|
|
<p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p> |
487 |
|
|
|
488 |
|
|
<table class="config"> |
489 |
|
|
- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr> |
490 |
|
|
- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr> |
491 |
|
|
- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr> |
492 |
|
|
- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr> |
493 |
|
|
+ <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr> |
494 |
|
|
+ <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr> |
495 |
|
|
+ <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr> |
496 |
|
|
+ <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr> |
497 |
|
|
</table> |
498 |
|
|
|
499 |
|
|
<p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p> |
500 |
|
|
@@ -282,10 +282,10 @@ |
501 |
|
|
<p>Sample PAM config fragment:</p> |
502 |
|
|
|
503 |
|
|
<table class="config"> |
504 |
|
|
- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr> |
505 |
|
|
- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr> |
506 |
|
|
- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr> |
507 |
|
|
- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr> |
508 |
|
|
+ <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr> |
509 |
|
|
+ <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr> |
510 |
|
|
+ <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr> |
511 |
|
|
+ <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr> |
512 |
|
|
</table> |
513 |
|
|
|
514 |
|
|
<p>Sample /etc/security/pam_abl.conf:</p> |
515 |
|
|
--- pam_abl/QUICKSTART 1970-01-01 01:00:00.000000000 +0100 |
516 |
|
|
+++ pam_abl/QUICKSTART.rsc 2006-06-17 20:34:27.000000000 +0200 |
517 |
|
|
@@ -0,0 +1,23 @@ |
518 |
|
|
+QUICKSTART GUIDE |
519 |
|
|
+ |
520 |
|
|
+------------------------------------------------------------------------ |
521 |
|
|
+Any time changes to the PAM configuration are done by hand, they have |
522 |
|
|
+to be done with great care to avoid disabling system access by accident. |
523 |
|
|
+------------------------------------------------------------------------ |
524 |
|
|
+ |
525 |
|
|
+To activate the use of pam_abl.so you need to add a PAM rule like |
526 |
|
|
+ |
527 |
|
|
+ auth required pam_abl.so config=/etc/security/pam_abl.conf |
528 |
|
|
+ |
529 |
|
|
+i.e. in /etc/pam.d/system-auth. Doing so please be aware that |
530 |
|
|
+/etc/pam.d/system-auth is auto-generated at e.g. Fedora Core and Red |
531 |
|
|
+Hat Enterprise Linux systems and that user changes will be destroyed |
532 |
|
|
+the next time authconfig is run, thus this step has to be redone. |
533 |
|
|
+ |
534 |
|
|
+You are able to customize the pam_abl.so behaviour by editing |
535 |
|
|
+/etc/security/pam_abl.conf. For detailed instructions please read |
536 |
|
|
+the application's page online at |
537 |
|
|
+ |
538 |
|
|
+ http://www.hexten.net/sw/pam_abl/doc/index.html |
539 |
|
|
+ |
540 |
|
|
+or have a look to the index.html and pam_abl.html documentation. |