* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme

- add pam_abl requirement [SME: 12914]
- add isdn4k-utils requirement for ippp isdn connections [SME: 12909]
- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]
- fix CGI::param called in list context [SME: 12888]

root/etc/e-smith/db/configuration/migrate/05pam_faillock

@@ -0,0 +1,11 @@
+{
+    my $pamtally = $DB->get("pam_tally") or return;
+
+    my $pamfaillock = $DB->get("pam_faillock") ||
+        $DB->new_record("pam_faillock", { type => "service" });
+
+    $pamfaillock->merge_props($pamtally->props);
+
+    $pamtally->delete;
+}
+

root/etc/e-smith/templates/etc/pam.d/system-auth/20auth

@@ -1,9 +1,10 @@
-{
-    my $status = $pam_tally{status} || 'disabled';
-    return unless $status eq 'enabled';
-    $OUT .= "auth        required      pam_tally.so onerr=fail no_magic_root";
-}
 auth        required      pam_env.so
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    # lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds)
+    $OUT .= "auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600";
+}
 {
     my $status = $pam_abl{status} || 'disabled';
     return unless $status eq 'enabled';
@@ -15,5 +16,10 @@ auth        sufficient    pam_unix.so likeauth nullok
     return unless $status eq 'enabled';
     $OUT .= "auth        sufficient    pam_ldap.so use_first_pass";
 }
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    $OUT .= "auth        [default=die]      pam_faillock.so authfail audit deny=3 unlock_time=600";
+}
 auth        required      pam_deny.so
 

root/etc/e-smith/templates/etc/pam.d/system-auth/30account

@@ -7,7 +7,9 @@ account     sufficient    pam_succeed_if.so uid < 100 quiet
 }
 account     required      pam_permit.so
 {
-    my $status = $pam_tally{status} || 'disabled';
+    my $status = $pam_faillock{status} || 'disabled';
     return unless $status eq 'enabled';
-    $OUT .= "account     required      pam_tally.so deny=5 reset no_magic_root";
+    # if you drop this call to pam_faillock.so the lock will be done also
+    # on non-consecutive authentication failures
+    $OUT .= "account     required      pam_faillock.so";
 }

smeserver-base.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 25
+%define release 26
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -69,7 +69,11 @@ BuildRequires: smeserver-devtools >= 1.13.1-03
 BuildRequires: gettext
 Requires: gdisk
 Requires: ppp
-Requires: rp-pppoe 
+Requires: rp-pppoe
+# pam autoblock 
+Requires: pam_abl 
+# isdn wan connection (ippp)
+Requires: isdn4k-utils
 %define dbfiles accounts configuration domains hosts networks
 AutoReqProv: no
 
@@ -188,6 +192,12 @@ fi
 
 
 %changelog
+* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme
+- add pam_abl requirement [SME: 12914]
+- add isdn4k-utils requirement for ippp isdn connections [SME: 12909]
+- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]
+- fix CGI::param called in list context [SME: 12888]
+
 * Tue Feb 04 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-25.sme
 - fix boot ordering cycle [SME: 12902]