diff --git a/root/etc/e-smith/db/configuration/defaults/pam_tally/status b/root/etc/e-smith/db/configuration/defaults/pam_faillock/status similarity index 100% rename from root/etc/e-smith/db/configuration/defaults/pam_tally/status rename to root/etc/e-smith/db/configuration/defaults/pam_faillock/status diff --git a/root/etc/e-smith/db/configuration/defaults/pam_tally/type b/root/etc/e-smith/db/configuration/defaults/pam_faillock/type similarity index 100% rename from root/etc/e-smith/db/configuration/defaults/pam_tally/type rename to root/etc/e-smith/db/configuration/defaults/pam_faillock/type diff --git a/root/etc/e-smith/db/configuration/migrate/05pam_faillock b/root/etc/e-smith/db/configuration/migrate/05pam_faillock new file mode 100644 index 0000000..eafa8e4 --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/05pam_faillock @@ -0,0 +1,11 @@ +{ + my $pamtally = $DB->get("pam_tally") or return; + + my $pamfaillock = $DB->get("pam_faillock") || + $DB->new_record("pam_faillock", { type => "service" }); + + $pamfaillock->merge_props($pamtally->props); + + $pamtally->delete; +} + diff --git a/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth b/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth index e0d88ba..793e756 100644 --- a/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth +++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth @@ -1,9 +1,10 @@ -{ - my $status = $pam_tally{status} || 'disabled'; - return unless $status eq 'enabled'; - $OUT .= "auth required pam_tally.so onerr=fail no_magic_root"; -} auth required pam_env.so +{ + my $status = $pam_faillock{status} || 'disabled'; + return unless $status eq 'enabled'; + # lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds) + $OUT .= "auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600"; +} { my $status = $pam_abl{status} || 'disabled'; return unless $status eq 'enabled'; @@ -15,5 +16,10 @@ auth sufficient pam_unix.so likeauth nullok return unless $status eq 'enabled'; $OUT .= "auth sufficient pam_ldap.so use_first_pass"; } +{ + my $status = $pam_faillock{status} || 'disabled'; + return unless $status eq 'enabled'; + $OUT .= "auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600"; +} auth required pam_deny.so diff --git a/root/etc/e-smith/templates/etc/pam.d/system-auth/30account b/root/etc/e-smith/templates/etc/pam.d/system-auth/30account index 7948721..2f4b750 100644 --- a/root/etc/e-smith/templates/etc/pam.d/system-auth/30account +++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/30account @@ -7,7 +7,9 @@ account sufficient pam_succeed_if.so uid < 100 quiet } account required pam_permit.so { - my $status = $pam_tally{status} || 'disabled'; + my $status = $pam_faillock{status} || 'disabled'; return unless $status eq 'enabled'; - $OUT .= "account required pam_tally.so deny=5 reset no_magic_root"; + # if you drop this call to pam_faillock.so the lock will be done also + # on non-consecutive authentication failures + $OUT .= "account required pam_faillock.so"; } diff --git a/smeserver-base.spec b/smeserver-base.spec index 67ddc97..b3124d6 100644 --- a/smeserver-base.spec +++ b/smeserver-base.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module %define name smeserver-base Name: %{name} %define version 11.0.0 -%define release 25 +%define release 26 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -69,7 +69,11 @@ BuildRequires: smeserver-devtools >= 1.13.1-03 BuildRequires: gettext Requires: gdisk Requires: ppp -Requires: rp-pppoe +Requires: rp-pppoe +# pam autoblock +Requires: pam_abl +# isdn wan connection (ippp) +Requires: isdn4k-utils %define dbfiles accounts configuration domains hosts networks AutoReqProv: no @@ -188,6 +192,12 @@ fi %changelog +* Wed Feb 12 2025 Jean-Philippe Pialasse 11.0.0-26.sme +- add pam_abl requirement [SME: 12914] +- add isdn4k-utils requirement for ippp isdn connections [SME: 12909] +- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913] +- fix CGI::param called in list context [SME: 12888] + * Tue Feb 04 2025 Jean-Philippe Pialasse 11.0.0-25.sme - fix boot ordering cycle [SME: 12902]