- Updated patches:
+ debian/patches/008_login_log_failure_in_FTMP
+ debian/patches/401_cppw_src.dpatch
+ debian/patches/429_login_FAILLOG_ENAB
+ debian/patches/463_login_delay_obeys_to_PAM
This commit is contained in:
Vendored
+6
-1
@@ -10,9 +10,14 @@ shadow (1:4.1.3.1-1) UNRELEASED; urgency=low
|
||||
- passwd: Report password properties changes if the password is not
|
||||
actually changed. Closes: #525967
|
||||
- Fixed lastlog. 4.1.3 only reported empty logs. Closes: #524873
|
||||
- Updated patches:
|
||||
+ debian/patches/008_login_log_failure_in_FTMP
|
||||
+ debian/patches/401_cppw_src.dpatch
|
||||
+ debian/patches/429_login_FAILLOG_ENAB
|
||||
+ debian/patches/463_login_delay_obeys_to_PAM
|
||||
* debian/securetty.linux: Added Freescale i.MX ports. Closes: #527095
|
||||
|
||||
-- Christian Perrier <bubulle@debian.org> Thu, 07 May 2009 19:20:57 +0200
|
||||
-- Christian Perrier <bubulle@debian.org> Sat, 09 May 2009 15:44:03 +0200
|
||||
|
||||
shadow (1:4.1.3.1-1) unstable; urgency=low
|
||||
|
||||
|
||||
+23
-28
@@ -8,36 +8,31 @@ Index: shadow-4.1.0/src/login.c
|
||||
===================================================================
|
||||
--- shadow-4.1.0.orig/src/login.c
|
||||
+++ shadow-4.1.0/src/login.c
|
||||
@@ -722,6 +722,29 @@
|
||||
#endif /* WITH_AUDIT */
|
||||
@@ -722,6 +722,24 @@
|
||||
(void) puts ("");
|
||||
(void) puts (_("Login incorrect"));
|
||||
|
||||
fprintf (stderr, "\nLogin incorrect\n");
|
||||
+ if (getdef_str("FTMP_FILE") != NULL) {
|
||||
+#if HAVE_UTMPX_H
|
||||
+ failent = utxent;
|
||||
+ if (sizeof (failent.ut_tv) == sizeof (struct timeval))
|
||||
+ gettimeofday((struct timeval *)
|
||||
+ &failent.ut_tv, NULL);
|
||||
+ else {
|
||||
+ struct timeval tv;
|
||||
+ if (getdef_str("FTMP_FILE") != NULL) {
|
||||
+#ifdef USE_UTMPX
|
||||
+ struct utmpx *failent =
|
||||
+ prepare_utmpx (failent_user,
|
||||
+ tty,
|
||||
+ /* FIXME: or fromhost? */hostname,
|
||||
+ utent);
|
||||
+#else /* !USE_UTMPX */
|
||||
+ struct utmp *failent =
|
||||
+ prepare_utmp (failent_user,
|
||||
+ tty,
|
||||
+ hostname,
|
||||
+ utent);
|
||||
+#endif /* !USE_UTMPX */
|
||||
+ failtmp (failent_user, failent);
|
||||
+ free (failent);
|
||||
+ }
|
||||
+
|
||||
+ gettimeofday (&tv, NULL);
|
||||
+ failent.ut_tv.tv_sec = tv.tv_sec;
|
||||
+ failent.ut_tv.tv_usec = tv.tv_usec;
|
||||
+ }
|
||||
+#else
|
||||
+ failent = utent;
|
||||
+ failent.ut_time = time(NULL);
|
||||
+#endif
|
||||
+ strncpy(failent.ut_user, failent_user, sizeof(failent.ut_user));
|
||||
+#ifdef USER_PROCESS
|
||||
+ failent.ut_type = USER_PROCESS;
|
||||
+#endif
|
||||
+ failtmp(&failent);
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Let's give it another go around.
|
||||
if (failcount >= retries) {
|
||||
SYSLOG ((LOG_NOTICE,
|
||||
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
|
||||
Index: shadow-4.1.0/lib/getdef.c
|
||||
===================================================================
|
||||
--- shadow-4.1.0.orig/lib/getdef.c
|
||||
|
||||
Vendored
+1
-1
@@ -224,7 +224,7 @@ Index: shadow-4.1.0/src/Makefile.am
|
||||
@@ -59,6 +60,7 @@
|
||||
chgpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
||||
chsh_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT) $(LIBSKEY) $(LIBMD)
|
||||
chpasswd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBSELINUX) $(LIBCRYPT)
|
||||
chpasswd_LDADD = $(LDADD) $(LIBPAM) $(LIBSELINUX) $(LIBCRYPT)
|
||||
+cppw_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
gpasswd_LDADD = $(LDADD) $(LIBAUDIT) $(LIBSELINUX) $(LIBCRYPT)
|
||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
|
||||
+46
-43
@@ -7,55 +7,58 @@ Fixes: #192849
|
||||
Note: It could be removed if pam_tally could report the number of failures
|
||||
preceding a successful login.
|
||||
|
||||
Index: shadow-4.1.0/src/login.c
|
||||
Index: shadow-4.1.3.1/src/login.c
|
||||
===================================================================
|
||||
--- shadow-4.1.0.orig/src/login.c
|
||||
+++ shadow-4.1.0/src/login.c
|
||||
@@ -130,9 +130,9 @@
|
||||
static void setup_tty (void);
|
||||
static void check_flags (int, char *const *);
|
||||
--- shadow-4.1.3.1.orig/src/login.c 2009-05-04 19:38:24.668839562 +0200
|
||||
+++ shadow-4.1.3.1/src/login.c 2009-05-04 19:50:43.360832944 +0200
|
||||
@@ -131,9 +131,9 @@
|
||||
const char *host,
|
||||
/*@null@*/const struct utmp *utent);
|
||||
|
||||
+static struct faillog faillog;
|
||||
+
|
||||
#ifndef USE_PAM
|
||||
-static struct faillog faillog;
|
||||
-
|
||||
-#ifndef USE_PAM
|
||||
static struct faillog faillog;
|
||||
|
||||
+#ifndef USE_PAM
|
||||
static void bad_time_notify (void);
|
||||
static void check_nologin (void);
|
||||
#endif
|
||||
@@ -673,6 +673,8 @@
|
||||
static void check_nologin (bool login_to_root);
|
||||
#else
|
||||
@@ -792,6 +792,9 @@
|
||||
SYSLOG ((LOG_NOTICE,
|
||||
"TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
|
||||
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
|
||||
failcount, fromhost, failent_user));
|
||||
+ if (pwd && getdef_bool("FAILLOG_ENAB"))
|
||||
+ failure (pwent.pw_uid, tty, &faillog);
|
||||
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
|
||||
+ failure (pwd->pw_uid, tty, &faillog);
|
||||
+ }
|
||||
fprintf(stderr,
|
||||
_("Maximum number of tries exceeded (%d)\n"),
|
||||
failcount);
|
||||
@@ -690,6 +692,13 @@
|
||||
@@ -809,6 +812,14 @@
|
||||
pam_strerror (pamh, retcode)));
|
||||
failed = true;
|
||||
}
|
||||
+ if (pwd && getdef_bool("FAILLOG_ENAB") &&
|
||||
+ ! failcheck (pwent.pw_uid, &faillog, failed)) {
|
||||
+ SYSLOG((LOG_CRIT,
|
||||
+ "exceeded failure limit for `%s' %s",
|
||||
+ failent_user, fromhost));
|
||||
+ failed = 1;
|
||||
+ }
|
||||
+ if ( (NULL != pwd)
|
||||
+ && getdef_bool("FAILLOG_ENAB")
|
||||
+ && ! failcheck (pwd->pw_uid, &faillog, failed)) {
|
||||
+ SYSLOG((LOG_CRIT,
|
||||
+ "exceeded failure limit for `%s' %s",
|
||||
+ failent_user, fromhost));
|
||||
+ failed = 1;
|
||||
+ }
|
||||
|
||||
if (!failed) {
|
||||
break;
|
||||
@@ -766,6 +731,8 @@
|
||||
#endif /* WITH_AUDIT */
|
||||
@@ -832,6 +843,10 @@
|
||||
(void) puts ("");
|
||||
(void) puts (_("Login incorrect"));
|
||||
|
||||
fprintf (stderr, "\nLogin incorrect\n");
|
||||
+ if (pwd && getdef_bool("FAILLOG_ENAB"))
|
||||
+ failure (pwent.pw_uid, tty, &faillog);
|
||||
if (getdef_str("FTMP_FILE") != NULL) {
|
||||
#if HAVE_UTMPX_H
|
||||
failent = utxent;
|
||||
@@ -1099,6 +1110,7 @@
|
||||
+ if ((NULL != pwd) && getdef_bool("FAILLOG_ENAB")) {
|
||||
+ failure (pwd->pw_uid, tty, &faillog);
|
||||
+ }
|
||||
+
|
||||
if (getdef_str("FTMP_FILE") != NULL) {
|
||||
#ifdef USE_UTMPX
|
||||
struct utmpx *failent =
|
||||
@@ -1281,6 +1296,7 @@
|
||||
*/
|
||||
#ifndef USE_PAM
|
||||
motd (); /* print the message of the day */
|
||||
@@ -63,19 +66,19 @@ Index: shadow-4.1.0/src/login.c
|
||||
if ( getdef_bool ("FAILLOG_ENAB")
|
||||
&& (0 != faillog.fail_cnt)) {
|
||||
failprint (&faillog);
|
||||
@@ -1112,6 +1124,7 @@
|
||||
username, (int) faillog.fail_cnt));
|
||||
@@ -1293,6 +1309,7 @@
|
||||
username, (int) faillog.fail_cnt));
|
||||
}
|
||||
}
|
||||
+#ifndef USE_PAM
|
||||
if ( getdef_bool ("LASTLOG_ENAB")
|
||||
&& (0 != lastlog.ll_time)) {
|
||||
time_t ll_time = lastlog.ll_time;
|
||||
Index: shadow-4.1.0/lib/getdef.c
|
||||
&& (ll.ll_time != 0)) {
|
||||
time_t ll_time = ll.ll_time;
|
||||
Index: shadow-4.1.3.1/lib/getdef.c
|
||||
===================================================================
|
||||
--- shadow-4.1.0.orig/lib/getdef.c
|
||||
+++ shadow-4.1.0/lib/getdef.c
|
||||
@@ -57,6 +57,7 @@
|
||||
--- shadow-4.1.3.1.orig/lib/getdef.c 2009-05-04 19:38:24.672844662 +0200
|
||||
+++ shadow-4.1.3.1/lib/getdef.c 2009-05-04 19:50:14.720839237 +0200
|
||||
@@ -61,6 +61,7 @@
|
||||
{"ENV_SUPATH", NULL},
|
||||
{"ERASECHAR", NULL},
|
||||
{"FAIL_DELAY", NULL},
|
||||
@@ -83,7 +86,7 @@ Index: shadow-4.1.0/lib/getdef.c
|
||||
{"FAKE_SHELL", NULL},
|
||||
{"FTMP_FILE", NULL},
|
||||
{"GID_MAX", NULL},
|
||||
@@ -93,7 +94,6 @@
|
||||
@@ -103,7 +104,6 @@
|
||||
{"ENV_HZ", NULL},
|
||||
{"ENVIRON_FILE", NULL},
|
||||
{"ENV_TZ", NULL},
|
||||
|
||||
+13
-10
@@ -15,15 +15,15 @@ Index: shadow-4.1.0/src/login.c
|
||||
#if defined(HAVE_STRFTIME) && !defined(USE_PAM)
|
||||
char ptime[80];
|
||||
#endif
|
||||
- int delay;
|
||||
int retries;
|
||||
- unsigned int delay;
|
||||
unsigned int retries;
|
||||
bool failed;
|
||||
bool subroot = false;
|
||||
@@ -354,6 +353,7 @@
|
||||
char *pam_user;
|
||||
char **ptr_pam_user = &pam_user;
|
||||
#else
|
||||
+ int delay;
|
||||
+ unsigned int delay;
|
||||
struct spwd *spwd = NULL;
|
||||
#endif
|
||||
/*
|
||||
@@ -31,17 +31,20 @@ Index: shadow-4.1.0/src/login.c
|
||||
}
|
||||
|
||||
environ = newenvp; /* make new environment active */
|
||||
- delay = getdef_num ("FAIL_DELAY", 1);
|
||||
retries = getdef_num ("LOGIN_RETRIES", RETRIES);
|
||||
- delay = getdef_unum ("FAIL_DELAY", 1);
|
||||
retries = getdef_unum ("LOGIN_RETRIES", RETRIES);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -594,17 +593,12 @@
|
||||
@@ -594,20 +593,15 @@
|
||||
|
||||
/*
|
||||
* hostname & tty are either set to NULL or their correct values,
|
||||
- * depending on how much we know. We also set PAM's fail delay to
|
||||
- * ours.
|
||||
+ * depending on how much we know.
|
||||
*
|
||||
* PAM_RHOST and PAM_TTY are used for authentication, only use
|
||||
* information coming from login or from the caller (e.g. no utmp)
|
||||
*/
|
||||
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
|
||||
PAM_FAIL_CHECK;
|
||||
@@ -68,8 +71,8 @@ Index: shadow-4.1.0/src/login.c
|
||||
retcode = pam_authenticate (pamh, 0);
|
||||
|
||||
@@ -956,14 +948,17 @@
|
||||
pw_auth ("!", username, reason, (char *) 0);
|
||||
}
|
||||
free (username);
|
||||
username = NULL;
|
||||
|
||||
+#ifndef USE_PAM
|
||||
/*
|
||||
@@ -77,9 +80,9 @@ Index: shadow-4.1.0/src/login.c
|
||||
* to login the user again. If the earlier alarm occurs
|
||||
* before the sleep() below completes, login will exit.
|
||||
*/
|
||||
+ delay = getdef_num ("FAIL_DELAY", 1);
|
||||
+ delay = getdef_unum ("FAIL_DELAY", 1);
|
||||
if (delay > 0) {
|
||||
sleep (delay);
|
||||
(void) sleep (delay);
|
||||
}
|
||||
+#endif
|
||||
|
||||
|
||||
Reference in New Issue
Block a user