* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme

- add pam_abl requirement [SME: 12914] - add isdn4k-utils requirement for ippp isdn connections [SME: 12909] - remove pam_tally as deprecated in favor of pam_faillock [SME: 12913] - fix CGI::param called in list context [SME: 12888]
2025-02-12 22:17:17 -05:00
parent 74d45e3c8e
commit 4c64e91235
6 changed files with 38 additions and 9 deletions
--- a/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth
+++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/20auth
@@ -1,9 +1,10 @@
-{
-    my $status = $pam_tally{status} || 'disabled';
-    return unless $status eq 'enabled';
-    $OUT .= "auth        required      pam_tally.so onerr=fail no_magic_root";
-}
 auth        required      pam_env.so
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    # lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds)
+    $OUT .= "auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600";
+}
 {
    my $status = $pam_abl{status} || 'disabled';
    return unless $status eq 'enabled';
@@ -15,5 +16,10 @@ auth        sufficient    pam_unix.so likeauth nullok
    return unless $status eq 'enabled';
    $OUT .= "auth        sufficient    pam_ldap.so use_first_pass";
 }
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    $OUT .= "auth        [default=die]      pam_faillock.so authfail audit deny=3 unlock_time=600";
+}
 auth        required      pam_deny.so

--- a/root/etc/e-smith/templates/etc/pam.d/system-auth/30account
+++ b/root/etc/e-smith/templates/etc/pam.d/system-auth/30account
@@ -7,7 +7,9 @@ account     sufficient    pam_succeed_if.so uid < 100 quiet
 }
 account     required      pam_permit.so
 {
-    my $status = $pam_tally{status} || 'disabled';
+    my $status = $pam_faillock{status} || 'disabled';
    return unless $status eq 'enabled';
-    $OUT .= "account     required      pam_tally.so deny=5 reset no_magic_root";
+    # if you drop this call to pam_faillock.so the lock will be done also
+    # on non-consecutive authentication failures
+    $OUT .= "account     required      pam_faillock.so";
 }