Is this a reasonable approach?
Andy Armstrong
andy at hexten.net
Mon Jan 3 21:05:39 UTC 2005
Andy Armstrong wrote:
> Hi folks and happy new year,
>
> I'm writing a PAM module that will allow me to reject connections from
> remote hosts that have been responsible a large number of failed login
> attempts. I've pretty much got working code but I'm agonising over the
> best way to log failed attempts.
>
> I can get something working by flagging a request as potentially failed
> during auth processing and then clearing that flag if we get as far as
> session processing. I'd use pam_set_data() effectively for the side
> effect of giving me a callback to the cleanup routine which is where I'd
> actually record the success or failure of the login attempt (in a DBM
> database).
>
> I assume that'll work in which case it'll scratch my immediate itch but
> I also assume that it's not the cleanest way to detect a failed auth
> attempt. Can anyone recommend a nicer approach?
The module is complete and working now. It successfully rejects auth
attempts from hosts that are responsible for excessive authentication
failures according to a configurable set of rules.
It still needs to function both as an auth and a session module to find
out whether authentication was ultimately successful so you end up with
a config like this (this is my /etc/pam.d/system-auth):
auth required /lib/security/$ISA/pam_abl.so \
config=/etc/pam_abl.conf
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_abl.so
session required /lib/security/$ISA/pam_unix.so
If anyone can give me any insight as to how to avoid the need to the
session hook I'd be gratful.
I'll document it and release it on my site sometime in the next couple
of days. Is there anything else I should usefully do to announce it to
interested parties?
--
Andy Armstrong
More information about the Pam-list
mailing list