That's exciting! I'm definately interested in giving it a try. Where can I get it at? On Mon, 2005-01-03 at 15:05, Andy Armstrong wrote: > Andy Armstrong wrote: > > Hi folks and happy new year, > > > > I'm writing a PAM module that will allow me to reject connections from > > remote hosts that have been responsible a large number of failed login > > attempts. I've pretty much got working code but I'm agonising over the > > best way to log failed attempts. > > > > I can get something working by flagging a request as potentially failed > > during auth processing and then clearing that flag if we get as far as > > session processing. I'd use pam_set_data() effectively for the side > > effect of giving me a callback to the cleanup routine which is where I'd > > actually record the success or failure of the login attempt (in a DBM > > database). > > > > I assume that'll work in which case it'll scratch my immediate itch but > > I also assume that it's not the cleanest way to detect a failed auth > > attempt. Can anyone recommend a nicer approach? > > The module is complete and working now. It successfully rejects auth > attempts from hosts that are responsible for excessive authentication > failures according to a configurable set of rules. > > It still needs to function both as an auth and a session module to find > out whether authentication was ultimately successful so you end up with > a config like this (this is my /etc/pam.d/system-auth): > > auth required /lib/security/$ISA/pam_abl.so \ > config=/etc/pam_abl.conf > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_abl.so > session required /lib/security/$ISA/pam_unix.so > > If anyone can give me any insight as to how to avoid the need to the > session hook I'd be gratful. > > I'll document it and release it on my site sometime in the next couple > of days. Is there anything else I should usefully do to announce it to > interested parties? _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
