aboutsummaryrefslogtreecommitdiffstats
path: root/security/pam_abl
diff options
context:
space:
mode:
authorpav <pav@FreeBSD.org>2006-09-02 02:34:03 +0800
committerpav <pav@FreeBSD.org>2006-09-02 02:34:03 +0800
commit471ab8d8a0469e93f01b305bd73762343f9067b5 (patch)
tree45f644db1519ba799f03bc715ebb07a3f959019b /security/pam_abl
parent6c451311cafc03e0e752157571495ca7b6a8c68a (diff)
downloadfreebsd-ports-gnome-471ab8d8a0469e93f01b305bd73762343f9067b5.tar.gz
freebsd-ports-gnome-471ab8d8a0469e93f01b305bd73762343f9067b5.tar.zst
freebsd-ports-gnome-471ab8d8a0469e93f01b305bd73762343f9067b5.zip
The pam_abl provides auto blacklisting of hosts and users
responsible for repeated failed authentication attempts. WWW: http://www.hexten.net/pam_abl/ PR: ports/100635 Submitted by: Petr Rehor <prehor@gmail.com>
Diffstat (limited to 'security/pam_abl')
-rw-r--r--security/pam_abl/Makefile73
-rw-r--r--security/pam_abl/distinfo3
-rw-r--r--security/pam_abl/files/190.clean-pam-abl.in25
-rw-r--r--security/pam_abl/files/pam_abl.8.in270
-rw-r--r--security/pam_abl/files/patch-Makefile42
-rw-r--r--security/pam_abl/files/patch-conf-pam_abl.conf14
-rw-r--r--security/pam_abl/files/patch-conf-system-auth39
-rw-r--r--security/pam_abl/files/patch-doc-index.html75
-rw-r--r--security/pam_abl/files/patch-doc-pam_abl.html11
-rw-r--r--security/pam_abl/files/patch-pam_abl.c24
-rw-r--r--security/pam_abl/files/patch-pam_abl.h19
-rw-r--r--security/pam_abl/files/patch-tools-Makefile26
-rw-r--r--security/pam_abl/files/pkg-deinstall.in38
-rw-r--r--security/pam_abl/files/pkg-message.in12
-rw-r--r--security/pam_abl/files/pkg-plist.in8
-rw-r--r--security/pam_abl/pkg-descr4
16 files changed, 683 insertions, 0 deletions
diff --git a/security/pam_abl/Makefile b/security/pam_abl/Makefile
new file mode 100644
index 000000000000..8a3f49e0c20c
--- /dev/null
+++ b/security/pam_abl/Makefile
@@ -0,0 +1,73 @@
+# New ports collection makefile for: pam_abl
+# Date created: Nov 6 2005
+# Whom: Petr Rehor <prehor@gmail.com>
+#
+# $FreeBSD$
+#
+
+PORTNAME= pam_abl
+PORTVERSION= 0.2.3
+CATEGORIES= security
+MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
+MASTER_SITE_SUBDIR= ${PORTNAME:S/_/-/}
+
+MAINTAINER= prehor@gmail.com
+COMMENT= Blacklisting responsible for repeated failed authentication attempts
+
+WRKSRC= ${WRKDIR}/${PORTNAME}
+
+PAMABLDB?= /var/db/pam_abl
+
+USE_BDB= 42+
+
+SUB_FILES= pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl
+SUB_LIST= PAMABLDB=${PAMABLDB}
+
+PKGMESSAGE= ${WRKDIR}/pkg-message
+PKGDEINSTALL= ${WRKDIR}/pkg-deinstall
+PLIST= ${WRKDIR}/pkg-plist
+
+MAN8= pam_abl.8
+
+.if !defined(NOPORTDOCS)
+PORTDOCS= *
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if ${PREFIX} == / || ${PREFIX} == /usr
+ETCPREFIX=
+.else
+ETCPREFIX= ${PREFIX}
+.endif
+SUB_LIST+= ETCPREFIX=${ETCPREFIX}
+
+SED_SCRIPT= -e 's|<db.h>|<${BDB_INCLUDE_DIR}/db.h>|' \
+ -e 's|-ldb|-l${BDB_LIB_NAME}|' \
+ -e 's|%%PREFIX%%|${PREFIX}|' \
+ -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \
+ -e 's|%%PAMABLDB%%|${PAMABLDB}|'
+
+post-patch:
+.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile
+ @${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file}
+.endfor
+
+pre-install:
+.if !defined(NOPORTDOCS)
+ @${MKDIR} ${DOCSDIR}
+.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css
+ ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR}
+.endfor
+.endif
+.if !defined(NO_INSTALL_MANPAGES)
+ @${MKDIR} ${MAN8PREFIX}/man/man8
+ ${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/
+.endif
+ @${MKDIR} ${PREFIX}/etc/periodic/daily
+ ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/
+
+post-install:
+ @${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/pam_abl/distinfo b/security/pam_abl/distinfo
new file mode 100644
index 000000000000..0f8a50adffb6
--- /dev/null
+++ b/security/pam_abl/distinfo
@@ -0,0 +1,3 @@
+MD5 (pam_abl-0.2.3.tar.gz) = fbcf97067e9647fa1d9257d4e6133cba
+SHA256 (pam_abl-0.2.3.tar.gz) = 9bb4059fba96f9846784d5e70bec72893630bdd70bc840be767cc33b83c6b163
+SIZE (pam_abl-0.2.3.tar.gz) = 19000
diff --git a/security/pam_abl/files/190.clean-pam-abl.in b/security/pam_abl/files/190.clean-pam-abl.in
new file mode 100644
index 000000000000..3b3ca29ff5f7
--- /dev/null
+++ b/security/pam_abl/files/190.clean-pam-abl.in
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# Purge pam_abl databases according to purge rules in config.
+#
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]; then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$daily_clean_pam_abl_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Purging pam_abl databases:"
+
+ %%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file}
+ [ $? -ne 0 ] && rc=3 || rc=0;;
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/security/pam_abl/files/pam_abl.8.in b/security/pam_abl/files/pam_abl.8.in
new file mode 100644
index 000000000000..9395d43eda77
--- /dev/null
+++ b/security/pam_abl/files/pam_abl.8.in
@@ -0,0 +1,270 @@
+.\"
+.\" $FreeBSD$
+.\"
+.Dd January 14, 2006
+.Dt pam_abl 8
+.Os
+.Sh NAME
+.Nm pam_abl
+.Nd auto blacklist PAM module
+.Sh SYNOPSIS
+.Ss Auto Blacklist PAM module
+.Op Ar service-name
+.Ar module-name
+.Ar control-flag
+.Pa pam_abl
+.Op Ar options
+.Ss Blacklist maintenance tool
+.Nm
+.Op Fl h | Fl -help
+.Op Fl p | Fl -purge
+.Op Fl r | Fl -relative
+.Op Fl v | Fl -verbose
+.Op Fl -okhost Ns No = Ns Ar host
+.Op Fl -okuser Ns No = Ns Ar user
+.Op Ar config-file
+.Sh DESCRIPTION
+The Auto Blacklist module for PAM,
+.Nm
+provides functionality for only one PAM category: authentication.
+In terms of the
+.Ar module-type
+parameter, this is the
+.Dq Li auth
+feature.
+.Ss Auto Blacklist PAM Authentication Module
+.Nm
+provides auto blacklisting of hosts and users responsible for repeated
+failed authentication attempts. Generally configured so that blacklisted
+users still see normal login prompts but are guaranteed to fail to
+authenticate. This functionality is only available to services which call
+PAM as root. If
+.Nm
+is called for uid != 0 it will silently succeed.
+
+The following options may be passed to the authentication module:
+.Bl -tag -width indent
+.It Cm debug
+.Xr syslog 3
+debugging information at
+.Dv LOG_DEBUG
+level.
+.It Cm expose_account
+Ignored.
+.It Cm no_warn
+suppress warning messages to the user.
+These messages include reasons why the user's authentication attempt was
+declined.
+.It Cm try_first_pass
+Ignored.
+.It Cm use_first_pass
+Ignored.
+.It Cm use_mapped_pass
+Ignored.
+.It Cm config Ns No = Ns Ar config-file
+The configuration file contains additional arguments. In order for the
+.Nm
+blacklist maintenance tool to work correctly most of the configuration
+should be placed in the config file rather than being provided by arguments.
+The format of the config file is described below.
+.It Cm host_db Ns No = Ns Ar host-database-file
+Path to the Berkeley DB which is used to log the host responsible for failed
+authentication attempts.
+If host_db is omitted the corresponding auto blacklisting will be disabled.
+.It Cm host_purge Ns No = Ns Ar time
+Defines how long failed hosts are retained in the host database.
+Defaults to 1 day.
+.It Cm host_rule Ns No = Ns Ar host-rule
+The rule (see below for format) which defines the conditions under which a
+failed hosts will be blackisted.
+.It Cm user_db Ns No = Ns Ar user-database-file
+Path to the Berkeley DB which is used to log the user responsible for failed
+authentication attempts.
+If user_db is omitted the corresponding auto blacklisting will be disabled.
+.It Cm user_purge Ns No = Ns Ar time
+Defines how long failed users are retained in the user database.
+Defaults to 1 day.
+.It Cm user_rule Ns No = Ns Ar user-rule
+The rule (see below for format) which defines the conditions under which a
+failed users will be blackisted.
+.El
+.Ss Rules syntax
+.Cm host_rule No Cm user_rule
+are the rules which determine the circumstances under which accounts ares
+auto blacklisted.
+The
+.Cm host_rule
+is used to block access to hosts that are responsible for excessive
+authentication failures and the
+.Cm user_rule
+is used to disable accounts for which there have been excessive
+authentication failures.
+Each rule consists of a number of space separated
+.Sy user clauses Ns No .
+A
+.Sy user clause
+specifies the user names and services to match and a set of triggers.
+A simple example would be:
+.Bd -literal -offset indent
+*:10/1h
+.Ed
+.Pp
+which means 'block any user (*) if they are responsible for ten or more
+failed authentication attempts in the last hour'.
+In place of the '*' which matches any user a list of usernames can be
+supplied like this:
+.Bd -literal -offset indent
+root|dba|admin:10/1h
+.Ed
+.Pp
+which means 'block the users root, dba and admin if they are responsible
+for ten or more failed authentication attempts in the last hour'.
+You can also specify a service name to match against like this:
+.Bd -literal -offset indent
+root/sshd|dba/*:3/1d
+.Ed
+.Pp
+which means 'block the users root for service sshd and user dba for any
+service if they are responsible for three or more failed authentication
+attempts in the last day'.
+Finally you can specify multiple triggers like this:
+.Bd -literal -offset indent
+root:10/1h,20/1d
+.Ed
+.Pp
+which means 'block the user root if they are responsible for ten or more
+failed attempts in the last hour or twenty or more failed attempts in the
+last day.
+.Pp
+Multiple rules can be provided separated by spaces like this:
+.Bd -literal -offset indent
+*:10/1h root:5/1h,10/1d
+.Ed
+.Pp
+in which case all rules that match a particular user and service will be
+checked.
+The user or host will be blocked if any of the rule triggers matches.
+.Pp
+The sense of the user matching can be inverted by placing a '!' in front
+of the rule so that:
+.Bd -literal -offset indent
+!root:20/1d
+.Ed
+.Pp
+is a rule which would match for all users apart from root.
+.Pp
+It is important to treat root as a special case in the
+.Cm user_rule
+otherwise excessive attempts to authenticate as root will result in the
+root account being locked out even for valid holders of root credentials.
+.Pp
+Here is the full syntax for rules:
+.Bd -literal -offset indent
+word ::= /[^\\s\\|\\/\\*]+/
+name ::= word | '*'
+username ::= name
+servicename ::= name
+userservice ::= username | username '/' servicename
+namelist ::= userservice | userservice '|' namelist
+userspec ::= namelist | '!' namelist
+multiplier ::= 's' | 'm' | 'h' | 'd'
+number ::= /\d+/
+period ::= number | number multiplier
+trigger ::= number '/' period
+triglist ::= trigger | trigger ',' triglist
+userclause ::= userspec ':' triglist
+rule ::= userclause | userclause /\s+/ rule
+.Ed
+.Pp
+For rules to work correctly
+.Cm host_purge No and Cm user_purge
+must be at least as long as the longest period specified in a corresponding
+rule.
+You may wish to retain information about failed attempts for longer than
+this so that the
+.Nm
+blacklist maintenance tool can report information over a longer period of
+time.
+The format for this items is a number with an optional multiplier suffix,
+'s', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days.
+To specify seven days for example one would use '7d'.
+Note that in normal operation
+.Nm
+PAM module will only purge the logged data for a particular host or user
+if it happens to be updating it, i.e. if that host or user makes another
+failed attempt.
+To purge all old entries the
+.Nm
+blacklist maintenance tool should be used.
+.Ss Blacklist maintenance tool
+Blacklist maintenance tool
+.Nm
+perform maintenance on the databases used by the
+.Nm
+PAM module.
+The options are as follows:
+.Bl -tag -width indent
+.It Fl h | Fl -help
+Print help page and exit.
+.It Fl p | Fl -purge
+Purge databases according to purge rules in config.
+.It Fl r | Fl -relative
+Display times relative to now otherwise absolute times will be displayed.
+.It Fl v | Fl -verbose
+Verbose output.
+.It Fl -okhost Ns No = Ns Ar host-name
+Unblock host.
+.It Fl -okuser Ns No = Ns Ar user-name
+Unblock user.
+.It Ar config-file
+Name of the
+.Nm
+configuration file (default: %%ETCPREFIX%%/etc/pam_abl.conf).
+The config file is read to discover the names of the
+.Nm
+databases and the rules that control purging of old data from them.
+.El
+.Sh EXAMPLES
+.Ss Auto Blacklist PAM module
+Typically
+.Nm
+PAM module is added to the auth stack as a required module just before
+whatever modules actually peform authentication.
+Here's a fragment of the PAM config:
+.Bd -literal -offset indent
+auth required pam_env
+auth required pam_abl config=%%ETCPREFIX%%/etc/pam_abl.conf
+auth sufficient pam_unix likeauth nullok
+auth required pam_deny
+.Ed
+.Ss Blacklist maintenance tool
+Obtain a list of failed hosts and users:
+.Bd -literal -offset indent
+$ pam_abl
+.Ed
+.Pp
+Obtain a full list of failures listing times relative to now:
+.Bd -literal -offset indent
+$ pam_abl -rv
+.Ed
+.Pp
+Purge old data:
+.Bd -literal -offset indent
+$ pam_abl -p
+.Ed
+.Pp
+Unblock all example.com hosts and all users:
+.Bd -literal -offset indent
+$ pam_abl -v --okhost='*.example.com' --okuser='*'
+.Ed
+.Sh SEE ALSO
+.Xr pam.conf 5 ,
+.Xr pam 8
+.Bd -literal
+http://www.hexten.net/pam_abl/
+http://sourceforge.net/project/showfiles.php?group_id=148927
+.Ed
+.Sh AUTHORS
+Written by Andy Armstrong <andy@hexten.net>.
+.Sh BUGS
+Report bugs to Andy Armstrong <andy@hexten.net>.
diff --git a/security/pam_abl/files/patch-Makefile b/security/pam_abl/files/patch-Makefile
new file mode 100644
index 000000000000..2e2c9c99ee0e
--- /dev/null
+++ b/security/pam_abl/files/patch-Makefile
@@ -0,0 +1,42 @@
+--- Makefile.orig Wed Oct 12 21:22:25 2005
++++ Makefile Sun Dec 11 00:29:31 2005
+@@ -1,11 +1,11 @@
+ # Makefile
+ # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
+
+-CFLAGS=-Wall -fPIC
+-PAMDIR=/lib/security
+-CONFDIR=/etc/security
+-DBDIR=/var/lib/abl
+-LIBS=-ldb -lpthread
++CFLAGS=-Wall -fPIC -I/usr/local/include
++PAMDIR=%%PREFIX%%/lib
++CONFDIR=%%ETCPREFIX%%/etc
++DBDIR=%%PAMABLDB%%
++LIBS=-L/usr/local/lib -ldb -lpthread
+ MODULE=pam_abl.so
+ OBJ=pam_abl.o log.o config.o rule.o
+ SUBDIRS=tools
+@@ -14,17 +14,17 @@
+ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+
+ $(MODULE) : $(OBJ)
+- ld -x --shared $(LIBS) -o $@ $^
++ ld -x --shared $(LIBS) -o $(MODULE) $(OBJ)
+
+ clean :
+ rm -f $(MODULE) $(OBJ)
+ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+
+ install : $(MODULE)
+- install --mode=755 --strip $(MODULE) $(PAMDIR)
+- #install --mode=644 conf/pam_abl.conf $(CONFDIR)
+- install -d --mode=755 $(DBDIR)
+- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
++ install -m 755 -s $(MODULE) $(PAMDIR)
++ install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample
++ install -d -m 755 $(DBDIR)
++ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
+
+ depend :
+ cc -MM *.c > deps
diff --git a/security/pam_abl/files/patch-conf-pam_abl.conf b/security/pam_abl/files/patch-conf-pam_abl.conf
new file mode 100644
index 000000000000..c668e08296b7
--- /dev/null
+++ b/security/pam_abl/files/patch-conf-pam_abl.conf
@@ -0,0 +1,14 @@
+--- conf/pam_abl.conf.orig Sat Dec 10 23:27:33 2005
++++ conf/pam_abl.conf Sun Dec 11 00:07:41 2005
+@@ -1,8 +1,8 @@
+-# /etc/security/pam_abl.conf
++# %%ETCPREFIX%%/etc/pam_abl.conf
+ # debug
+-host_db=/var/lib/abl/hosts.db
++host_db=%%PAMABLDB%%/hosts.db
+ host_purge=2d
+ host_rule=*:10/1h,30/1d
+-user_db=/var/lib/abl/users.db
++user_db=%%PAMABLDB%%/users.db
+ user_purge=2d
+ user_rule=!root:10/1h,30/1d
diff --git a/security/pam_abl/files/patch-conf-system-auth b/security/pam_abl/files/patch-conf-system-auth
new file mode 100644
index 000000000000..4f287c13b2a4
--- /dev/null
+++ b/security/pam_abl/files/patch-conf-system-auth
@@ -0,0 +1,39 @@
+--- conf/system-auth.orig Wed Oct 12 21:22:27 2005
++++ conf/system-auth Sat Jan 14 22:37:20 2006
+@@ -1,15 +1,24 @@
+-#%PAM-1.0
+-auth required /lib/security/$ISA/pam_env.so
+-auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
+-auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
+-auth required /lib/security/$ISA/pam_deny.so
++#
++# System-wide defaults
++#
+
+-account required /lib/security/$ISA/pam_unix.so
++# auth
++auth required %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
++auth sufficient pam_opie.so no_warn no_fake_prompts
++auth requisite pam_opieaccess.so no_warn allow_local
++#auth sufficient pam_krb5.so no_warn try_first_pass
++#auth sufficient pam_ssh.so no_warn try_first_pass
++auth required pam_unix.so no_warn try_first_pass nullok
+
+-password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
+-password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
+-password required /lib/security/$ISA/pam_deny.so
++# account
++#account required pam_krb5.so
++account required pam_login_access.so
++account required pam_unix.so
+
+-session required /lib/security/$ISA/pam_limits.so
+-session required /lib/security/$ISA/pam_abl.so
+-session required /lib/security/$ISA/pam_unix.so
++# session
++#session optional pam_ssh.so
++session required pam_lastlog.so no_fail
++
++# password
++#password sufficient pam_krb5.so no_warn try_first_pass
++password required pam_unix.so no_warn try_first_pass
diff --git a/security/pam_abl/files/patch-doc-index.html b/security/pam_abl/files/patch-doc-index.html
new file mode 100644
index 000000000000..1b63b6263bb5
--- /dev/null
+++ b/security/pam_abl/files/patch-doc-index.html
@@ -0,0 +1,75 @@
+--- doc/index.html.orig Wed Oct 12 21:22:27 2005
++++ doc/index.html Sat Jan 14 22:48:16 2006
+@@ -44,7 +44,7 @@
+ <dd>Requires <a href="http://www.sleepycat.com/products/db.shtml">Berkeley DB</a>
+ (tested with 4.3.21 and 4.2.50).<br />
+
+- Requires a configuration file (by convention /etc/security/pam_abl.conf)</dd>
++ Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf)</dd>
+
+ <dt>Network aware:</dt>
+
+@@ -171,28 +171,26 @@
+ <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
+
+ <table class="config">
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
+- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
++ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
+ </table>
+
+- <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
++ <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
+
+ </dd>
+
+ <dt>Config file syntax:</dt>
+
+ <dd>
+- <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:</p>
++ <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
+
+ <table class="config">
+- <tr><td># /etc/security/pam_abl.conf</td></tr>
++ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
+ <tr><td>debug</td></tr>
+- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
++ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
+ <tr><td>host_purge=2d</td></tr>
+ <tr><td>host_rule=*:10/1h,30/1d</td></tr>
+- <tr><td>user_db=/var/lib/abl/users.db</td></tr>
++ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
+ <tr><td>user_purge=2d</td></tr>
+ <tr><td>user_rule=!root:10/1h,30/1d</td></tr>
+ </table>
+@@ -282,21 +280,19 @@
+ <p>Sample PAM config fragment:</p>
+
+ <table class="config">
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
+- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
++ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
+ </table>
+
+- <p>Sample /etc/security/pam_abl.conf:</p>
++ <p>Sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
+
+ <table class="config">
+- <tr><td># /etc/security/pam_abl.conf</td></tr>
++ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
+ <tr><td>debug</td></tr>
+- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
++ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
+ <tr><td>host_purge=2d</td></tr>
+ <tr><td>host_rule=*:10/1h,30/1d</td></tr>
+- <tr><td>user_db=/var/lib/abl/users.db</td></tr>
++ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
+ <tr><td>user_purge=2d</td></tr>
+ <tr><td>user_rule=!root:10/1h,30/1d</td></tr>
+ </table>
diff --git a/security/pam_abl/files/patch-doc-pam_abl.html b/security/pam_abl/files/patch-doc-pam_abl.html
new file mode 100644
index 000000000000..fd162fd85d3d
--- /dev/null
+++ b/security/pam_abl/files/patch-doc-pam_abl.html
@@ -0,0 +1,11 @@
+--- doc/pam_abl.html.orig Wed Oct 12 21:22:27 2005
++++ doc/pam_abl.html Sat Jan 14 23:00:43 2006
+@@ -15,7 +15,7 @@
+ <dd>pam_abl [OPTION] [CONFIG]</dd>
+ <dt>DESCRIPTION</dt>
+ <dd>
+- <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
++ <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
+ <table>
+ <tr>
+ <td>-h, --help</td>
diff --git a/security/pam_abl/files/patch-pam_abl.c b/security/pam_abl/files/patch-pam_abl.c
new file mode 100644
index 000000000000..3ef097a22f44
--- /dev/null
+++ b/security/pam_abl/files/patch-pam_abl.c
@@ -0,0 +1,24 @@
+--- pam_abl.c.orig Wed Oct 12 21:22:26 2005
++++ pam_abl.c Sat Jan 14 21:39:41 2006
+@@ -344,7 +344,7 @@
+ abl_args *args = data;
+ log_debug(args, "In cleanup, err is %08x", err);
+
+- if (err && (err & PAM_DATA_REPLACE) == 0) {
++ if (err == PAM_AUTH_ERR) {
+ record_attempt(args);
+ }
+ config_free(args);
+@@ -359,6 +359,12 @@
+ int err = PAM_SUCCESS;
+
+ /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/
++
++ if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) {
++ record_attempt(args);
++ } else if (PAM_NO_MODULE_DATA != err) {
++ return err;
++ }
+
+ if (args = malloc(sizeof(abl_args)), NULL == args) {
+ return PAM_BUF_ERR;
diff --git a/security/pam_abl/files/patch-pam_abl.h b/security/pam_abl/files/patch-pam_abl.h
new file mode 100644
index 000000000000..2d21d063997e
--- /dev/null
+++ b/security/pam_abl/files/patch-pam_abl.h
@@ -0,0 +1,19 @@
+--- pam_abl.h.orig Wed Oct 12 21:22:27 2005
++++ pam_abl.h Sat Jan 14 19:25:44 2006
+@@ -51,6 +51,7 @@
+ #define __PAM_ABL_H
+
+ #include <security/pam_modules.h>
++#include <security/pam_appl.h>
+ #include <db.h>
+
+ #include <ctype.h>
+@@ -74,7 +75,7 @@
+ /* User purge time in seconds */
+ #define USER_PURGE (HOURSECS * 24)
+
+-#define CONFIG "/etc/security/pam_abl.conf"
++#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf"
+
+ typedef struct abl_string {
+ struct abl_string *link;
diff --git a/security/pam_abl/files/patch-tools-Makefile b/security/pam_abl/files/patch-tools-Makefile
new file mode 100644
index 000000000000..c79088740284
--- /dev/null
+++ b/security/pam_abl/files/patch-tools-Makefile
@@ -0,0 +1,26 @@
+--- tools/Makefile.orig Wed Oct 12 21:22:27 2005
++++ tools/Makefile Sun Dec 11 00:22:30 2005
+@@ -1,18 +1,18 @@
+ # Makefile
+
+-CFLAGS=-Wall
+-LIBS=-ldb -lpthread
++CFLAGS=-Wall -I/usr/local/include
++LIBS=-L/usr/local/lib -ldb -lpthread
+ TARGET=pam_abl
+ OBJ=log.o config.o rule.o pam_abl.o
+-INSTDIR=/usr/bin
++INSTDIR=%%PREFIX%%/sbin
+
+ all : $(TARGET)
+
+ $(TARGET) : $(OBJ)
+- cc $(LIBS) -o $@ $^
++ cc $(LIBS) -o $(TARGET) $(OBJ)
+
+ install : $(TARGET)
+- install --mode=755 --strip $(TARGET) $(INSTDIR)
++ install -m 755 -s $(TARGET) $(INSTDIR)
+
+ clean :
+ rm -f $(TARGET) $(OBJ)
diff --git a/security/pam_abl/files/pkg-deinstall.in b/security/pam_abl/files/pkg-deinstall.in
new file mode 100644
index 000000000000..ce80b6017ea5
--- /dev/null
+++ b/security/pam_abl/files/pkg-deinstall.in
@@ -0,0 +1,38 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+PATH=/bin:/usr/bin:/usr/sbin
+
+case $2 in
+DEINSTALL)
+ cd ${PKG_PREFIX}/etc || exit 1
+ cmp -s -z pam_abl.conf pam_abl.conf.sample && rm pam_abl.conf
+ rmdir %%PAMABLDB%% 2>/dev/null
+ ;;
+POST-DEINSTALL)
+ pam_files="$(grep -lR '^[^#]*pam_abl\.so' /etc/pam.d ${PKG_PREFIX}/etc/pam.d)"
+ echo "===> post-deinstallation information for $1:"
+ if [ -n "${pam_files}" ]; then
+ echo ""
+ echo " Warning: pam_able remain used for this services:"
+ for pam_file in ${pam_files}; do
+ echo " ${pam_file}"
+ done
+ fi
+ if [ -e ${PKG_PREFIX}/etc/pam_abl.conf -o -d %%PAMABLDB%% ]; then
+ echo ""
+ echo " To ease updates, the database directory and configuration"
+ echo " file modified by you were preserved."
+ echo ""
+ echo " Please remove them manually if you do not want to use"
+ echo " pam_abl any longer."
+ fi
+ echo ""
+ ;;
+*)
+ exit 64
+ ;;
+esac
+exit 0
diff --git a/security/pam_abl/files/pkg-message.in b/security/pam_abl/files/pkg-message.in
new file mode 100644
index 000000000000..5b41e37ddf2d
--- /dev/null
+++ b/security/pam_abl/files/pkg-message.in
@@ -0,0 +1,12 @@
+*****************************************************************************
+
+Read files in %%DOCSDIR%% for info on how to set up.
+
+*****************************************************************************
+
+To automatically purge pam_abl databases according to purge rules in config
+add to your /etc/periodic.conf this line:
+
+ daily_clean_pam_abl_enable="YES"
+
+*****************************************************************************
diff --git a/security/pam_abl/files/pkg-plist.in b/security/pam_abl/files/pkg-plist.in
new file mode 100644
index 000000000000..8b9ff7314101
--- /dev/null
+++ b/security/pam_abl/files/pkg-plist.in
@@ -0,0 +1,8 @@
+@comment $FreeBSD$
+etc/pam_abl.conf.sample
+etc/periodic/daily/190.clean-pam-abl
+lib/pam_abl.so
+sbin/pam_abl
+@exec mkdir -p %%PAMABLDB%%
+@dirrmtry etc/periodic/daily
+@dirrmtry etc/periodic
diff --git a/security/pam_abl/pkg-descr b/security/pam_abl/pkg-descr
new file mode 100644
index 000000000000..b283131f7748
--- /dev/null
+++ b/security/pam_abl/pkg-descr
@@ -0,0 +1,4 @@
+The pam_abl provides auto blacklisting of hosts and users
+responsible for repeated failed authentication attempts.
+
+WWW: http://www.hexten.net/pam_abl/