|
 |
7a7bf9 |
diff -Naur old/authconfig.py new/authconfig.py
|
|
|
7a7bf9 |
--- old/authconfig.py 2017-03-28 14:08:03.601258033 +0200
|
|
|
7a7bf9 |
+++ new/authconfig.py 2017-03-28 14:10:35.055518926 +0200
|
|
|
7a7bf9 |
@@ -353,6 +353,13 @@
|
|
|
7a7bf9 |
help=_("require at least one other character in a password"))
|
|
|
7a7bf9 |
parser.add_option("--disablereqother", action="store_true",
|
|
|
7a7bf9 |
help=_("do not require other characters in a password"))
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+ parser.add_option("--enablefaillock", action="store_true",
|
|
|
7a7bf9 |
+ help=_("enable account locking in case of too many consecutive authentication failures"))
|
|
|
7a7bf9 |
+ parser.add_option("--disablefaillock", action="store_true",
|
|
|
7a7bf9 |
+ help=_("disable account locking on too many consecutive authentication failures"))
|
|
|
7a7bf9 |
+ parser.add_option("--faillockargs", metavar=_("<options>"),
|
|
|
7a7bf9 |
+ help=_("the pam_faillock module options"))
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
parser.add_option("--nostart", action="store_true",
|
|
|
7a7bf9 |
help=_("do not start/stop portmap, ypbind, and nscd"))
|
|
|
7a7bf9 |
@@ -466,7 +473,8 @@
|
|
|
7a7bf9 |
"reqlower":"passReqLower",
|
|
|
7a7bf9 |
"requpper":"passReqUpper",
|
|
|
7a7bf9 |
"reqdigit":"passReqDigit",
|
|
|
7a7bf9 |
- "reqother":"passReqOther"}
|
|
|
7a7bf9 |
+ "reqother":"passReqOther",
|
|
|
7a7bf9 |
+ "faillock":"enableFaillock"}
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
string_settings = {"passalgo":"passwordAlgorithm",
|
|
|
7a7bf9 |
"hesiodlhs":"hesiodLHS",
|
|
|
7a7bf9 |
@@ -495,7 +503,8 @@
|
|
|
7a7bf9 |
"passminlen":"passMinLen",
|
|
|
7a7bf9 |
"passminclass":"passMinClass",
|
|
|
7a7bf9 |
"passmaxrepeat":"passMaxRepeat",
|
|
|
7a7bf9 |
- "passmaxclassrepeat":"passMaxClassRepeat"}
|
|
|
7a7bf9 |
+ "passmaxclassrepeat":"passMaxClassRepeat",
|
|
|
7a7bf9 |
+ "faillockargs":"faillockArgs"}
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
for opt, aival in bool_settings.iteritems():
|
|
|
7a7bf9 |
if getattr(self.options, "enable"+opt):
|
|
|
7a7bf9 |
diff -Naur old/authinfo.py new/authinfo.py
|
|
|
7a7bf9 |
--- old/authinfo.py 2017-03-28 14:08:03.599258069 +0200
|
|
|
7a7bf9 |
+++ new/authinfo.py 2017-03-28 14:25:31.403421162 +0200
|
|
|
7a7bf9 |
@@ -489,6 +489,8 @@
|
|
|
7a7bf9 |
"otp", argv_otp_auth],
|
|
|
7a7bf9 |
[False, AUTH, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
"winbind", argv_winbind_auth],
|
|
|
7a7bf9 |
+ [False, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", ["authfail"]],
|
|
|
7a7bf9 |
[True, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"deny", []],
|
|
|
7a7bf9 |
# Account management is tricky. Because we've implicitly committed to
|
|
|
7a7bf9 |
@@ -508,6 +510,8 @@
|
|
|
7a7bf9 |
# successful call to pam_permit at the end as a requirement.
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"access", []],
|
|
|
7a7bf9 |
+ [False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", []],
|
|
|
7a7bf9 |
[True, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"unix", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
@@ -618,6 +622,8 @@
|
|
|
7a7bf9 |
"deny", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"access", []],
|
|
|
7a7bf9 |
+ [False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", []],
|
|
|
7a7bf9 |
[True, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"unix", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
@@ -654,6 +660,8 @@
|
|
|
7a7bf9 |
"ldap", argv_ldap_password],
|
|
|
7a7bf9 |
[False, PASSWORD, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
"winbind", argv_winbind_password],
|
|
|
7a7bf9 |
+ [False, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", ["authfail"]],
|
|
|
7a7bf9 |
[True, PASSWORD, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"deny", []],
|
|
|
7a7bf9 |
[True, SESSION, LOGIC_OPTIONAL,
|
|
|
7a7bf9 |
@@ -689,10 +697,14 @@
|
|
|
7a7bf9 |
"deny", []],
|
|
|
7a7bf9 |
[False, AUTH, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
"fprintd", []],
|
|
|
7a7bf9 |
+ [False, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", ["authfail"]],
|
|
|
7a7bf9 |
[True, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"deny", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"access", []],
|
|
|
7a7bf9 |
+ [False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", []],
|
|
|
7a7bf9 |
[True, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"unix", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
@@ -748,10 +760,14 @@
|
|
|
7a7bf9 |
"krb5", argv_krb5_sc_auth],
|
|
|
7a7bf9 |
[False, AUTH, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
"permit", []],
|
|
|
7a7bf9 |
+ [False, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", ["authfail"]],
|
|
|
7a7bf9 |
[True, AUTH, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"deny", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"access", []],
|
|
|
7a7bf9 |
+ [False, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
+ "faillock", []],
|
|
|
7a7bf9 |
[True, ACCOUNT, LOGIC_REQUIRED,
|
|
|
7a7bf9 |
"unix", []],
|
|
|
7a7bf9 |
[False, ACCOUNT, LOGIC_SUFFICIENT,
|
|
|
7a7bf9 |
@@ -1392,6 +1408,11 @@
|
|
|
7a7bf9 |
self.passReqDigit = None
|
|
|
7a7bf9 |
self.passReqOther = None
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
+ # Faillock
|
|
|
7a7bf9 |
+ self.enableFaillock = None
|
|
|
7a7bf9 |
+ self.faillockArgs = "deny=4 unlock_time=1200"
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
+
|
|
|
7a7bf9 |
# Not really options.
|
|
|
7a7bf9 |
self.joinUser = ""
|
|
|
7a7bf9 |
self.joinPassword = ""
|
|
|
7a7bf9 |
@@ -1453,6 +1474,7 @@
|
|
|
7a7bf9 |
("enableNIS3", "b"), ("enableNIS", "b"), ("enableIPAv2", "b"),
|
|
|
7a7bf9 |
("enableSSSD", "b"), ("preferDNSinHosts", "b"), ("implicitSSSD", "b")]),
|
|
|
7a7bf9 |
SaveGroup(self.writePAM, None, [("pwqualityArgs", "c"), ("passwdqcArgs", "c"),
|
|
|
7a7bf9 |
+ ("faillockArgs", "c"), ("enableFaillock", "b"),
|
|
|
7a7bf9 |
("localuserArgs", "c"), ("pamAccessArgs", "c"), ("enablePAMAccess", "b"),
|
|
|
7a7bf9 |
("mkhomedirArgs", "c"), ("enableMkHomeDir", "b"), ("algoRounds", "c"),
|
|
|
7a7bf9 |
("passwordAlgorithm", "i"), ("enableShadow", "b"), ("enableNIS", "b"),
|
|
|
7a7bf9 |
@@ -1470,6 +1492,7 @@
|
|
|
7a7bf9 |
("enableEcryptfs", "b"), ("enableSmartcard", "b"), ("forceSmartcard", "b"),
|
|
|
7a7bf9 |
("enableWinbindAuth", "b"), ("enableWinbind", "b"), ("winbindKrb5", "b"), ("enableDB", "b"),
|
|
|
7a7bf9 |
("enableHesiod", "b"), ("enablePWQuality", "b"), ("enablePasswdQC", "b"),
|
|
|
7a7bf9 |
+ ("enableFaillock", "b"), ("faillockArgs", "c"),
|
|
|
7a7bf9 |
("enableLocAuthorize", "b"), ("enablePAMAccess", "b"), ("enableCacheCreds", "b"),
|
|
|
7a7bf9 |
("enableMkHomeDir", "b"), ("enableSysNetAuth", "b"), ("enableFprintd", "b"),
|
|
|
7a7bf9 |
("enableSSSD", "b"), ("enableSSSDAuth", "b"), ("enableForceLegacy", "b"),
|
|
|
7a7bf9 |
@@ -2247,6 +2270,12 @@
|
|
|
7a7bf9 |
if stack == "auth":
|
|
|
7a7bf9 |
if module.startswith("pam_unix"):
|
|
|
7a7bf9 |
self.setParam("enableNullOk", args.find("nullok") >= 0, ref)
|
|
|
7a7bf9 |
+ if module.startswith("pam_faillock"):
|
|
|
7a7bf9 |
+ self.setParam("enableFaillock", True, ref)
|
|
|
7a7bf9 |
+ if args:
|
|
|
7a7bf9 |
+ args.replace('authfail', '').strip()
|
|
|
7a7bf9 |
+ self.setParam("faillockArgs", args, ref)
|
|
|
7a7bf9 |
+ continue
|
|
|
7a7bf9 |
if stack == "account":
|
|
|
7a7bf9 |
if module.startswith("pam_unix"):
|
|
|
7a7bf9 |
self.setParam("brokenShadow", args.find("broken_shadow") >= 0, ref)
|
|
|
7a7bf9 |
@@ -2305,6 +2334,11 @@
|
|
|
7a7bf9 |
except ValueError:
|
|
|
7a7bf9 |
pass
|
|
|
7a7bf9 |
try:
|
|
|
7a7bf9 |
+ self.enableFaillock = shv.getBoolValue("USEFAILLOCK")
|
|
|
7a7bf9 |
+ self.faillockArgs = shv.getValue("FAILLOCKARGS")
|
|
|
7a7bf9 |
+ except ValueError:
|
|
|
7a7bf9 |
+ pass
|
|
|
7a7bf9 |
+ try:
|
|
|
7a7bf9 |
self.enableEcryptfs = shv.getBoolValue("USEECRYPTFS")
|
|
|
7a7bf9 |
except ValueError:
|
|
|
7a7bf9 |
pass
|
|
|
7a7bf9 |
@@ -3912,6 +3946,8 @@
|
|
|
7a7bf9 |
if (self.forceBrokenShadow or self.enableLDAPAuth or
|
|
|
7a7bf9 |
self.enableKerberos or self.enableWinbindAuth):
|
|
|
7a7bf9 |
output += " broken_shadow"
|
|
|
7a7bf9 |
+ if name == "faillock" and stack == "auth":
|
|
|
7a7bf9 |
+ args = " ".join(module[ARGV]) + " " + self.faillockArgs
|
|
|
7a7bf9 |
if args:
|
|
|
7a7bf9 |
output += " " + args
|
|
|
7a7bf9 |
output += "\n"
|
|
|
7a7bf9 |
@@ -3978,6 +4014,7 @@
|
|
|
7a7bf9 |
(self.enableAFS and module[NAME] == "afs") or
|
|
|
7a7bf9 |
(self.enableAFSKerberos and module[NAME] == "afs.krb") or
|
|
|
7a7bf9 |
(self.enablePWQuality and module[NAME] == "pwquality") or
|
|
|
7a7bf9 |
+ (self.enableFaillock and module[NAME] == "faillock") or
|
|
|
7a7bf9 |
(self.enableEcryptfs and module[NAME] == "ecryptfs") or
|
|
|
7a7bf9 |
(self.enableEPS and module[NAME] == "eps") or
|
|
|
7a7bf9 |
((self.enableKerberos and not self.implicitSSSDAuth)and module[NAME] == "krb5" and
|
|
|
7a7bf9 |
@@ -4039,6 +4076,8 @@
|
|
|
7a7bf9 |
return False
|
|
|
7a7bf9 |
|
|
|
7a7bf9 |
shv.setBoolValue("USEPWQUALITY", self.enablePWQuality)
|
|
|
7a7bf9 |
+ shv.setBoolValue("USEFAILLOCK", self.enableFaillock)
|
|
|
7a7bf9 |
+ shv.setValue("FAILLOCKARGS", self.faillockArgs)
|
|
|
7a7bf9 |
shv.setBoolValue("USEDB", self.enableDB)
|
|
|
7a7bf9 |
shv.setBoolValue("USEHESIOD", self.enableHesiod)
|
|
|
7a7bf9 |
shv.setBoolValue("USELDAP", self.enableLDAP)
|
|
|
7a7bf9 |
@@ -4314,6 +4353,8 @@
|
|
|
7a7bf9 |
self.passwdqcArgs)
|
|
|
7a7bf9 |
print "pam_access is %s (%s)" % (formatBool(self.enablePAMAccess),
|
|
|
7a7bf9 |
self.pamAccessArgs)
|
|
|
7a7bf9 |
+ print "pam_faillock is %s (%s)" % (formatBool(self.enableFaillock),
|
|
|
7a7bf9 |
+ self.faillockArgs)
|
|
|
7a7bf9 |
print "pam_mkhomedir or pam_oddjob_mkhomedir is %s (%s)" % (formatBool(self.enableMkHomeDir),
|
|
|
7a7bf9 |
self.mkhomedirArgs)
|
|
|
7a7bf9 |
print "Always authorize local users is %s (%s)" % (formatBool(self.enableLocAuthorize),
|