smeserver/smeserver-base
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme

Browse Source 
- add pam_abl requirement [SME: 12914]
- add isdn4k-utils requirement for ippp isdn connections [SME: 12909]
- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]
- fix CGI::param called in list context [SME: 12888]
This commit is contained in:
Jean-Philippe Pialasse
2025-02-12 22:17:17 -05:00
parent 74d45e3c8e
commit 4c64e91235
6 changed files with 38 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
root/etc/e-smith/db/configuration/defaults/pam_tally/status → root/etc/e-smith/db/configuration/defaults/pam_faillock/status
View File

0
root/etc/e-smith/db/configuration/defaults/pam_tally/type → root/etc/e-smith/db/configuration/defaults/pam_faillock/type
View File

11
root/etc/e-smith/db/configuration/migrate/05pam_faillock Normal file
View File

@@ -0,0 +1,11 @@
{
my $pamtally = $DB->get("pam_tally") or return;
my $pamfaillock = $DB->get("pam_faillock") ||
$DB->new_record("pam_faillock", { type => "service" });
$pamfaillock->merge_props($pamtally->props);
$pamtally->delete;
}

16
root/etc/e-smith/templates/etc/pam.d/system-auth/20auth
View File

@@ -1,9 +1,10 @@
{
my $status = $pam_tally{status} || 'disabled';
return unless $status eq 'enabled';
$OUT .= "auth required pam_tally.so onerr=fail no_magic_root";
}
auth required pam_env.so
{
my $status = $pam_faillock{status} || 'disabled';
return unless $status eq 'enabled';
# lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds)
$OUT .= "auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600";
}
{
my $status = $pam_abl{status} || 'disabled';
return unless $status eq 'enabled';
@@ -15,5 +16,10 @@ auth sufficient pam_unix.so likeauth nullok
return unless $status eq 'enabled';
$OUT .= "auth sufficient pam_ldap.so use_first_pass";
}
{
my $status = $pam_faillock{status} || 'disabled';
return unless $status eq 'enabled';
$OUT .= "auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600";
}
auth required pam_deny.so

6
root/etc/e-smith/templates/etc/pam.d/system-auth/30account
View File

@@ -7,7 +7,9 @@ account sufficient pam_succeed_if.so uid < 100 quiet
}
account required pam_permit.so
{
my $status = $pam_tally{status} || 'disabled';
my $status = $pam_faillock{status} || 'disabled';
return unless $status eq 'enabled';
$OUT .= "account required pam_tally.so deny=5 reset no_magic_root";
# if you drop this call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures
$OUT .= "account required pam_faillock.so";
}