Hi folks and happy new year,
I'm writing a PAM module that will allow me to reject connections from remote hosts that have been responsible a large number of failed login attempts. I've pretty much got working code but I'm agonising over the best way to log failed attempts.
I can get something working by flagging a request as potentially failed during auth processing and then clearing that flag if we get as far as session processing. I'd use pam_set_data() effectively for the side effect of giving me a callback to the cleanup routine which is where I'd actually record the success or failure of the login attempt (in a DBM database).
I assume that'll work in which case it'll scratch my immediate itch but I also assume that it's not the cleanest way to detect a failed auth attempt. Can anyone recommend a nicer approach?
The module is complete and working now. It successfully rejects auth attempts from hosts that are responsible for excessive authentication failures according to a configurable set of rules.
It still needs to function both as an auth and a session module to find out whether authentication was ultimately successful so you end up with a config like this (this is my /etc/pam.d/system-auth):
auth required /lib/security/$ISA/pam_abl.so \
config=/etc/pam_abl.conf
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.sosession required /lib/security/$ISA/pam_abl.so session required /lib/security/$ISA/pam_unix.so
If anyone can give me any insight as to how to avoid the need to the session hook I'd be gratful.
I'll document it and release it on my site sometime in the next couple of days. Is there anything else I should usefully do to announce it to interested parties?
-- Andy Armstrong
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
