pam_tally and fail_locktime
Benjamin Donnachie
benjamin at pythagoras.no-ip.org
Wed Oct 5 00:12:12 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Hollis wrote:
> pam_abl works great in general, though it doesnt work at all on x86_64
> at the moment. maybe someone more clued on pam can fix it.
> http://www.hexten.net/bugzilla/show_bug.cgi?id=12
I understand that the way pam_abl detects the end of a failed auth
attempt is dependent upon services calling the PAM functions in a
particular way - perhaps this is different on x86_64s to their predecessors?
I've suggested to the author that he might like to consider adopting an
approach similar to pam_tally of having auth and account modules (rather
than just auth). That way it can log an attempted login under the auth
module and then clear it under the account section. If the auth module
is invoked again without there having been a corresponding account
invokation, then the previous login failed and can be recorded.
I'd also like to use pam_abl to protect services which authenticate
while non-root, such as httpd and php, but I would also like to protect
my db files... One method might be to use sql databases instead and to
hardcode the database details at compile time... Or maybe look into
whether pam modules can be set UID'ed.
When I get time, I intend to start looking at implementing these in
pam_abl/something similar - the auth/account separation might be just
what's needed on the x86_64 platform.
Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQ0MaWugNmph0Y1E2AQJJQRAAiFJOvjbibv1azcEHMb12ncI5fxPVYd6b
gKC8bCK7oh1G2zf8KcOKKoHBkdCLZ7AVnplwPdPbkfTfNgsSTqvHnhhjYPt6dXQQ
R774QHJR0h0DWODtK6InGN997Zw70++6EosgoVQHhqTAD5thRoLnwHYieFqwcbGM
DsyZmFHGg2pO3fbfF3EGHocZDWihDhKf1rPoU2IWaU8MkIaHI5yHyHY5cGjojFnr
pnz1Et6WeStp1xvkenLgW7Ov+He4i6H3q9yWF4gGkZrK5WBJxh8fjKxkSMQMVsqS
Vj9T/hb3Es9yV2P5w21pXxqPe+MdONvSiqsvkhGIp6DqUqCooJ4N79IJ6nYR4SKn
13h6gmOXwy/FLgDGjiUHYmF/JmHWy3aHKS2opHE9PM3JbJ4qLeWMaHm/zWMK2aaJ
EMTT847y2A8Ptz5h9KiH/lIH6KEdsazSnQVAimo334gpm/P7o+QYQyjNt3mmLHJb
efvycD//OaPpmUNBBIz1sqo5IIi34PPxbnOw/96fzFEIdTqBtwgK12+h3MaIrcB4
h5TU4wNp8Shzg/wVi2/gibkAY9cteZ6CSLtQEVSogo8UmLfQm0QNE8Fof7nY97pZ
FUJAQk16WLlWEgBx/beviGib+q6lGg5zb8lmZ6m+i9L7xrWxodm4s+PkbLHsnoB/
mwKePcEom/U=
=VpBf
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list