Is this a reasonable approach?

Digant C Kasundra digant at uta.edu
Mon Jan 3 21:23:37 UTC 2005 

That's exciting!  I'm definately interested in giving it a try.  Where
can I get it at?

On Mon, 2005-01-03 at 15:05, Andy Armstrong wrote:
> Andy Armstrong wrote:
> > Hi folks and happy new year,
> > 
> > I'm writing a PAM module that will allow me to reject connections from 
> > remote hosts that have been responsible a large number of failed login 
> > attempts. I've pretty much got working code but I'm agonising over the 
> > best way to log failed attempts.
> > 
> > I can get something working by flagging a request as potentially failed 
> > during auth processing and then clearing that flag if we get as far as 
> > session processing. I'd use pam_set_data() effectively for the side 
> > effect of giving me a callback to the cleanup routine which is where I'd 
> > actually record the success or failure of the login attempt (in a DBM 
> > database).
> > 
> > I assume that'll work in which case it'll scratch my immediate itch but 
> > I also assume that it's not the cleanest way to detect a failed auth 
> > attempt. Can anyone recommend a nicer approach?
> 
> The module is complete and working now. It successfully rejects auth 
> attempts from hosts that are responsible for excessive authentication 
> failures according to a configurable set of rules.
> 
> It still needs to function both as an auth and a session module to find 
> out whether authentication was ultimately successful so you end up with 
> a config like this (this is my /etc/pam.d/system-auth):
> 
> auth        required      /lib/security/$ISA/pam_abl.so \
>                                        config=/etc/pam_abl.conf
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> session     required      /lib/security/$ISA/pam_abl.so
> session     required      /lib/security/$ISA/pam_unix.so
> 
> If anyone can give me any insight as to how to avoid the need to the 
> session hook I'd be gratful.
> 
> I'll document it and release it on my site sometime in the next couple 
> of days. Is there anything else I should usefully do to announce it to 
> interested parties?

More information about the Pam-list mailing list