diff options
| author | pav <pav@FreeBSD.org> | 2006-09-02 02:34:03 +0800 |
|---|---|---|
| committer | pav <pav@FreeBSD.org> | 2006-09-02 02:34:03 +0800 |
| commit | 471ab8d8a0469e93f01b305bd73762343f9067b5 (patch) | |
| tree | 45f644db1519ba799f03bc715ebb07a3f959019b /security | |
| parent | 6c451311cafc03e0e752157571495ca7b6a8c68a (diff) | |
| download | freebsd-ports-gnome-471ab8d8a0469e93f01b305bd73762343f9067b5.tar.gz freebsd-ports-gnome-471ab8d8a0469e93f01b305bd73762343f9067b5.tar.zst freebsd-ports-gnome-471ab8d8a0469e93f01b305bd73762343f9067b5.zip | |
The pam_abl provides auto blacklisting of hosts and users
responsible for repeated failed authentication attempts.
WWW: http://www.hexten.net/pam_abl/
PR: ports/100635
Submitted by: Petr Rehor <prehor@gmail.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/Makefile | 1 | ||||
| -rw-r--r-- | security/pam_abl/Makefile | 73 | ||||
| -rw-r--r-- | security/pam_abl/distinfo | 3 | ||||
| -rw-r--r-- | security/pam_abl/files/190.clean-pam-abl.in | 25 | ||||
| -rw-r--r-- | security/pam_abl/files/pam_abl.8.in | 270 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-Makefile | 42 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-conf-pam_abl.conf | 14 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-conf-system-auth | 39 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-doc-index.html | 75 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-doc-pam_abl.html | 11 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-pam_abl.c | 24 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-pam_abl.h | 19 | ||||
| -rw-r--r-- | security/pam_abl/files/patch-tools-Makefile | 26 | ||||
| -rw-r--r-- | security/pam_abl/files/pkg-deinstall.in | 38 | ||||
| -rw-r--r-- | security/pam_abl/files/pkg-message.in | 12 | ||||
| -rw-r--r-- | security/pam_abl/files/pkg-plist.in | 8 | ||||
| -rw-r--r-- | security/pam_abl/pkg-descr | 4 |
17 files changed, 684 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index ef8716f8b2ef..e8d8f5e713df 100644 --- a/security/Makefile +++ b/security/Makefile @@ -464,6 +464,7 @@ SUBDIR += pad SUBDIR += pam-mysql SUBDIR += pam-pgsql + SUBDIR += pam_abl SUBDIR += pam_af SUBDIR += pam_alreadyloggedin SUBDIR += pam_authsrv diff --git a/security/pam_abl/Makefile b/security/pam_abl/Makefile new file mode 100644 index 000000000000..8a3f49e0c20c --- /dev/null +++ b/security/pam_abl/Makefile @@ -0,0 +1,73 @@ +# New ports collection makefile for: pam_abl +# Date created: Nov 6 2005 +# Whom: Petr Rehor <prehor@gmail.com> +# +# $FreeBSD$ +# + +PORTNAME= pam_abl +PORTVERSION= 0.2.3 +CATEGORIES= security +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} +MASTER_SITE_SUBDIR= ${PORTNAME:S/_/-/} + +MAINTAINER= prehor@gmail.com +COMMENT= Blacklisting responsible for repeated failed authentication attempts + +WRKSRC= ${WRKDIR}/${PORTNAME} + +PAMABLDB?= /var/db/pam_abl + +USE_BDB= 42+ + +SUB_FILES= pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl +SUB_LIST= PAMABLDB=${PAMABLDB} + +PKGMESSAGE= ${WRKDIR}/pkg-message +PKGDEINSTALL= ${WRKDIR}/pkg-deinstall +PLIST= ${WRKDIR}/pkg-plist + +MAN8= pam_abl.8 + +.if !defined(NOPORTDOCS) +PORTDOCS= * +.endif + +.include <bsd.port.pre.mk> + +.if ${PREFIX} == / || ${PREFIX} == /usr +ETCPREFIX= +.else +ETCPREFIX= ${PREFIX} +.endif +SUB_LIST+= ETCPREFIX=${ETCPREFIX} + +SED_SCRIPT= -e 's|<db.h>|<${BDB_INCLUDE_DIR}/db.h>|' \ + -e 's|-ldb|-l${BDB_LIB_NAME}|' \ + -e 's|%%PREFIX%%|${PREFIX}|' \ + -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \ + -e 's|%%PAMABLDB%%|${PAMABLDB}|' + +post-patch: +.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile + @${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file} +.endfor + +pre-install: +.if !defined(NOPORTDOCS) + @${MKDIR} ${DOCSDIR} +.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css + ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR} +.endfor +.endif +.if !defined(NO_INSTALL_MANPAGES) + @${MKDIR} ${MAN8PREFIX}/man/man8 + ${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/ +.endif + @${MKDIR} ${PREFIX}/etc/periodic/daily + ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/ + +post-install: + @${CAT} ${PKGMESSAGE} + +.include <bsd.port.post.mk> diff --git a/security/pam_abl/distinfo b/security/pam_abl/distinfo new file mode 100644 index 000000000000..0f8a50adffb6 --- /dev/null +++ b/security/pam_abl/distinfo @@ -0,0 +1,3 @@ +MD5 (pam_abl-0.2.3.tar.gz) = fbcf97067e9647fa1d9257d4e6133cba +SHA256 (pam_abl-0.2.3.tar.gz) = 9bb4059fba96f9846784d5e70bec72893630bdd70bc840be767cc33b83c6b163 +SIZE (pam_abl-0.2.3.tar.gz) = 19000 diff --git a/security/pam_abl/files/190.clean-pam-abl.in b/security/pam_abl/files/190.clean-pam-abl.in new file mode 100644 index 000000000000..3b3ca29ff5f7 --- /dev/null +++ b/security/pam_abl/files/190.clean-pam-abl.in @@ -0,0 +1,25 @@ +#!/bin/sh +# +# $FreeBSD$ +# +# Purge pam_abl databases according to purge rules in config. +# + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_clean_pam_abl_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Purging pam_abl databases:" + + %%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file} + [ $? -ne 0 ] && rc=3 || rc=0;; + *) rc=0;; +esac + +exit $rc diff --git a/security/pam_abl/files/pam_abl.8.in b/security/pam_abl/files/pam_abl.8.in new file mode 100644 index 000000000000..9395d43eda77 --- /dev/null +++ b/security/pam_abl/files/pam_abl.8.in @@ -0,0 +1,270 @@ +.\" +.\" $FreeBSD$ +.\" +.Dd January 14, 2006 +.Dt pam_abl 8 +.Os +.Sh NAME +.Nm pam_abl +.Nd auto blacklist PAM module +.Sh SYNOPSIS +.Ss Auto Blacklist PAM module +.Op Ar service-name +.Ar module-name +.Ar control-flag +.Pa pam_abl +.Op Ar options +.Ss Blacklist maintenance tool +.Nm +.Op Fl h | Fl -help +.Op Fl p | Fl -purge +.Op Fl r | Fl -relative +.Op Fl v | Fl -verbose +.Op Fl -okhost Ns No = Ns Ar host +.Op Fl -okuser Ns No = Ns Ar user +.Op Ar config-file +.Sh DESCRIPTION +The Auto Blacklist module for PAM, +.Nm +provides functionality for only one PAM category: authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dq Li auth +feature. +.Ss Auto Blacklist PAM Authentication Module +.Nm +provides auto blacklisting of hosts and users responsible for repeated +failed authentication attempts. Generally configured so that blacklisted +users still see normal login prompts but are guaranteed to fail to +authenticate. This functionality is only available to services which call +PAM as root. If +.Nm +is called for uid != 0 it will silently succeed. + +The following options may be passed to the authentication module: +.Bl -tag -width indent +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm expose_account +Ignored. +.It Cm no_warn +suppress warning messages to the user. +These messages include reasons why the user's authentication attempt was +declined. +.It Cm try_first_pass +Ignored. +.It Cm use_first_pass +Ignored. +.It Cm use_mapped_pass +Ignored. +.It Cm config Ns No = Ns Ar config-file +The configuration file contains additional arguments. In order for the +.Nm +blacklist maintenance tool to work correctly most of the configuration +should be placed in the config file rather than being provided by arguments. +The format of the config file is described below. +.It Cm host_db Ns No = Ns Ar host-database-file +Path to the Berkeley DB which is used to log the host responsible for failed +authentication attempts. +If host_db is omitted the corresponding auto blacklisting will be disabled. +.It Cm host_purge Ns No = Ns Ar time +Defines how long failed hosts are retained in the host database. +Defaults to 1 day. +.It Cm host_rule Ns No = Ns Ar host-rule +The rule (see below for format) which defines the conditions under which a +failed hosts will be blackisted. +.It Cm user_db Ns No = Ns Ar user-database-file +Path to the Berkeley DB which is used to log the user responsible for failed +authentication attempts. +If user_db is omitted the corresponding auto blacklisting will be disabled. +.It Cm user_purge Ns No = Ns Ar time +Defines how long failed users are retained in the user database. +Defaults to 1 day. +.It Cm user_rule Ns No = Ns Ar user-rule +The rule (see below for format) which defines the conditions under which a +failed users will be blackisted. +.El +.Ss Rules syntax +.Cm host_rule No Cm user_rule +are the rules which determine the circumstances under which accounts ares +auto blacklisted. +The +.Cm host_rule +is used to block access to hosts that are responsible for excessive +authentication failures and the +.Cm user_rule +is used to disable accounts for which there have been excessive +authentication failures. +Each rule consists of a number of space separated +.Sy user clauses Ns No . +A +.Sy user clause +specifies the user names and services to match and a set of triggers. +A simple example would be: +.Bd -literal -offset indent +*:10/1h +.Ed +.Pp +which means 'block any user (*) if they are responsible for ten or more +failed authentication attempts in the last hour'. +In place of the '*' which matches any user a list of usernames can be +supplied like this: +.Bd -literal -offset indent +root|dba|admin:10/1h +.Ed +.Pp +which means 'block the users root, dba and admin if they are responsible +for ten or more failed authentication attempts in the last hour'. +You can also specify a service name to match against like this: +.Bd -literal -offset indent +root/sshd|dba/*:3/1d +.Ed +.Pp +which means 'block the users root for service sshd and user dba for any +service if they are responsible for three or more failed authentication +attempts in the last day'. +Finally you can specify multiple triggers like this: +.Bd -literal -offset indent +root:10/1h,20/1d +.Ed +.Pp +which means 'block the user root if they are responsible for ten or more +failed attempts in the last hour or twenty or more failed attempts in the +last day. +.Pp +Multiple rules can be provided separated by spaces like this: +.Bd -literal -offset indent +*:10/1h root:5/1h,10/1d +.Ed +.Pp +in which case all rules that match a particular user and service will be +checked. +The user or host will be blocked if any of the rule triggers matches. +.Pp +The sense of the user matching can be inverted by placing a '!' in front +of the rule so that: +.Bd -literal -offset indent +!root:20/1d +.Ed +.Pp +is a rule which would match for all users apart from root. +.Pp +It is important to treat root as a special case in the +.Cm user_rule +otherwise excessive attempts to authenticate as root will result in the +root account being locked out even for valid holders of root credentials. +.Pp +Here is the full syntax for rules: +.Bd -literal -offset indent +word ::= /[^\\s\\|\\/\\*]+/ +name ::= word | '*' +username ::= name +servicename ::= name +userservice ::= username | username '/' servicename +namelist ::= userservice | userservice '|' namelist +userspec ::= namelist | '!' namelist +multiplier ::= 's' | 'm' | 'h' | 'd' +number ::= /\d+/ +period ::= number | number multiplier +trigger ::= number '/' period +triglist ::= trigger | trigger ',' triglist +userclause ::= userspec ':' triglist +rule ::= userclause | userclause /\s+/ rule +.Ed +.Pp +For rules to work correctly +.Cm host_purge No and Cm user_purge +must be at least as long as the longest period specified in a corresponding +rule. +You may wish to retain information about failed attempts for longer than +this so that the +.Nm +blacklist maintenance tool can report information over a longer period of +time. +The format for this items is a number with an optional multiplier suffix, +'s', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days. +To specify seven days for example one would use '7d'. +Note that in normal operation +.Nm +PAM module will only purge the logged data for a particular host or user +if it happens to be updating it, i.e. if that host or user makes another +failed attempt. +To purge all old entries the +.Nm +blacklist maintenance tool should be used. +.Ss Blacklist maintenance tool +Blacklist maintenance tool +.Nm +perform maintenance on the databases used by the +.Nm +PAM module. +The options are as follows: +.Bl -tag -width indent +.It Fl h | Fl -help +Print help page and exit. +.It Fl p | Fl -purge +Purge databases according to purge rules in config. +.It Fl r | Fl -relative +Display times relative to now otherwise absolute times will be displayed. +.It Fl v | Fl -verbose +Verbose output. +.It Fl -okhost Ns No = Ns Ar host-name +Unblock host. +.It Fl -okuser Ns No = Ns Ar user-name +Unblock user. +.It Ar config-file +Name of the +.Nm +configuration file (default: %%ETCPREFIX%%/etc/pam_abl.conf). +The config file is read to discover the names of the +.Nm +databases and the rules that control purging of old data from them. +.El +.Sh EXAMPLES +.Ss Auto Blacklist PAM module +Typically +.Nm +PAM module is added to the auth stack as a required module just before +whatever modules actually peform authentication. +Here's a fragment of the PAM config: +.Bd -literal -offset indent +auth required pam_env +auth required pam_abl config=%%ETCPREFIX%%/etc/pam_abl.conf +auth sufficient pam_unix likeauth nullok +auth required pam_deny +.Ed +.Ss Blacklist maintenance tool +Obtain a list of failed hosts and users: +.Bd -literal -offset indent +$ pam_abl +.Ed +.Pp +Obtain a full list of failures listing times relative to now: +.Bd -literal -offset indent +$ pam_abl -rv +.Ed +.Pp +Purge old data: +.Bd -literal -offset indent +$ pam_abl -p +.Ed +.Pp +Unblock all example.com hosts and all users: +.Bd -literal -offset indent +$ pam_abl -v --okhost='*.example.com' --okuser='*' +.Ed +.Sh SEE ALSO +.Xr pam.conf 5 , +.Xr pam 8 +.Bd -literal +http://www.hexten.net/pam_abl/ +http://sourceforge.net/project/showfiles.php?group_id=148927 +.Ed +.Sh AUTHORS +Written by Andy Armstrong <andy@hexten.net>. +.Sh BUGS +Report bugs to Andy Armstrong <andy@hexten.net>. diff --git a/security/pam_abl/files/patch-Makefile b/security/pam_abl/files/patch-Makefile new file mode 100644 index 000000000000..2e2c9c99ee0e --- /dev/null +++ b/security/pam_abl/files/patch-Makefile @@ -0,0 +1,42 @@ +--- Makefile.orig Wed Oct 12 21:22:25 2005 ++++ Makefile Sun Dec 11 00:29:31 2005 +@@ -1,11 +1,11 @@ + # Makefile + # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $ + +-CFLAGS=-Wall -fPIC +-PAMDIR=/lib/security +-CONFDIR=/etc/security +-DBDIR=/var/lib/abl +-LIBS=-ldb -lpthread ++CFLAGS=-Wall -fPIC -I/usr/local/include ++PAMDIR=%%PREFIX%%/lib ++CONFDIR=%%ETCPREFIX%%/etc ++DBDIR=%%PAMABLDB%% ++LIBS=-L/usr/local/lib -ldb -lpthread + MODULE=pam_abl.so + OBJ=pam_abl.o log.o config.o rule.o + SUBDIRS=tools +@@ -14,17 +14,17 @@ + for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done + + $(MODULE) : $(OBJ) +- ld -x --shared $(LIBS) -o $@ $^ ++ ld -x --shared $(LIBS) -o $(MODULE) $(OBJ) + + clean : + rm -f $(MODULE) $(OBJ) + for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done + + install : $(MODULE) +- install --mode=755 --strip $(MODULE) $(PAMDIR) +- #install --mode=644 conf/pam_abl.conf $(CONFDIR) +- install -d --mode=755 $(DBDIR) +- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done ++ install -m 755 -s $(MODULE) $(PAMDIR) ++ install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample ++ install -d -m 755 $(DBDIR) ++ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done + + depend : + cc -MM *.c > deps diff --git a/security/pam_abl/files/patch-conf-pam_abl.conf b/security/pam_abl/files/patch-conf-pam_abl.conf new file mode 100644 index 000000000000..c668e08296b7 --- /dev/null +++ b/security/pam_abl/files/patch-conf-pam_abl.conf @@ -0,0 +1,14 @@ +--- conf/pam_abl.conf.orig Sat Dec 10 23:27:33 2005 ++++ conf/pam_abl.conf Sun Dec 11 00:07:41 2005 +@@ -1,8 +1,8 @@ +-# /etc/security/pam_abl.conf ++# %%ETCPREFIX%%/etc/pam_abl.conf + # debug +-host_db=/var/lib/abl/hosts.db ++host_db=%%PAMABLDB%%/hosts.db + host_purge=2d + host_rule=*:10/1h,30/1d +-user_db=/var/lib/abl/users.db ++user_db=%%PAMABLDB%%/users.db + user_purge=2d + user_rule=!root:10/1h,30/1d diff --git a/security/pam_abl/files/patch-conf-system-auth b/security/pam_abl/files/patch-conf-system-auth new file mode 100644 index 000000000000..4f287c13b2a4 --- /dev/null +++ b/security/pam_abl/files/patch-conf-system-auth @@ -0,0 +1,39 @@ +--- conf/system-auth.orig Wed Oct 12 21:22:27 2005 ++++ conf/system-auth Sat Jan 14 22:37:20 2006 +@@ -1,15 +1,24 @@ +-#%PAM-1.0 +-auth required /lib/security/$ISA/pam_env.so +-auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf +-auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok +-auth required /lib/security/$ISA/pam_deny.so ++# ++# System-wide defaults ++# + +-account required /lib/security/$ISA/pam_unix.so ++# auth ++auth required %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf ++auth sufficient pam_opie.so no_warn no_fake_prompts ++auth requisite pam_opieaccess.so no_warn allow_local ++#auth sufficient pam_krb5.so no_warn try_first_pass ++#auth sufficient pam_ssh.so no_warn try_first_pass ++auth required pam_unix.so no_warn try_first_pass nullok + +-password required /lib/security/$ISA/pam_cracklib.so retry=3 type= +-password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow +-password required /lib/security/$ISA/pam_deny.so ++# account ++#account required pam_krb5.so ++account required pam_login_access.so ++account required pam_unix.so + +-session required /lib/security/$ISA/pam_limits.so +-session required /lib/security/$ISA/pam_abl.so +-session required /lib/security/$ISA/pam_unix.so ++# session ++#session optional pam_ssh.so ++session required pam_lastlog.so no_fail ++ ++# password ++#password sufficient pam_krb5.so no_warn try_first_pass ++password required pam_unix.so no_warn try_first_pass diff --git a/security/pam_abl/files/patch-doc-index.html b/security/pam_abl/files/patch-doc-index.html new file mode 100644 index 000000000000..1b63b6263bb5 --- /dev/null +++ b/security/pam_abl/files/patch-doc-index.html @@ -0,0 +1,75 @@ +--- doc/index.html.orig Wed Oct 12 21:22:27 2005 ++++ doc/index.html Sat Jan 14 22:48:16 2006 +@@ -44,7 +44,7 @@ + <dd>Requires <a href="http://www.sleepycat.com/products/db.shtml">Berkeley DB</a> + (tested with 4.3.21 and 4.2.50).<br /> + +- Requires a configuration file (by convention /etc/security/pam_abl.conf)</dd> ++ Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf)</dd> + + <dt>Network aware:</dt> + +@@ -171,28 +171,26 @@ + <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p> + + <table class="config"> +- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr> +- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr> +- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr> +- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr> ++ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf</td></tr> ++ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr> + </table> + +- <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p> ++ <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p> + + </dd> + + <dt>Config file syntax:</dt> + + <dd> +- <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:</p> ++ <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:</p> + + <table class="config"> +- <tr><td># /etc/security/pam_abl.conf</td></tr> ++ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr> + <tr><td>debug</td></tr> +- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr> ++ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr> + <tr><td>host_purge=2d</td></tr> + <tr><td>host_rule=*:10/1h,30/1d</td></tr> +- <tr><td>user_db=/var/lib/abl/users.db</td></tr> ++ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr> + <tr><td>user_purge=2d</td></tr> + <tr><td>user_rule=!root:10/1h,30/1d</td></tr> + </table> +@@ -282,21 +280,19 @@ + <p>Sample PAM config fragment:</p> + + <table class="config"> +- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr> +- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr> +- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr> +- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr> ++ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf</td></tr> ++ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr> + </table> + +- <p>Sample /etc/security/pam_abl.conf:</p> ++ <p>Sample %%ETCPREFIX%%/etc/pam_abl.conf:</p> + + <table class="config"> +- <tr><td># /etc/security/pam_abl.conf</td></tr> ++ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr> + <tr><td>debug</td></tr> +- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr> ++ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr> + <tr><td>host_purge=2d</td></tr> + <tr><td>host_rule=*:10/1h,30/1d</td></tr> +- <tr><td>user_db=/var/lib/abl/users.db</td></tr> ++ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr> + <tr><td>user_purge=2d</td></tr> + <tr><td>user_rule=!root:10/1h,30/1d</td></tr> + </table> diff --git a/security/pam_abl/files/patch-doc-pam_abl.html b/security/pam_abl/files/patch-doc-pam_abl.html new file mode 100644 index 000000000000..fd162fd85d3d --- /dev/null +++ b/security/pam_abl/files/patch-doc-pam_abl.html @@ -0,0 +1,11 @@ +--- doc/pam_abl.html.orig Wed Oct 12 21:22:27 2005 ++++ doc/pam_abl.html Sat Jan 14 23:00:43 2006 +@@ -15,7 +15,7 @@ + <dd>pam_abl [OPTION] [CONFIG]</dd> + <dt>DESCRIPTION</dt> + <dd> +- <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p> ++ <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p> + <table> + <tr> + <td>-h, --help</td> diff --git a/security/pam_abl/files/patch-pam_abl.c b/security/pam_abl/files/patch-pam_abl.c new file mode 100644 index 000000000000..3ef097a22f44 --- /dev/null +++ b/security/pam_abl/files/patch-pam_abl.c @@ -0,0 +1,24 @@ +--- pam_abl.c.orig Wed Oct 12 21:22:26 2005 ++++ pam_abl.c Sat Jan 14 21:39:41 2006 +@@ -344,7 +344,7 @@ + abl_args *args = data; + log_debug(args, "In cleanup, err is %08x", err); + +- if (err && (err & PAM_DATA_REPLACE) == 0) { ++ if (err == PAM_AUTH_ERR) { + record_attempt(args); + } + config_free(args); +@@ -359,6 +359,12 @@ + int err = PAM_SUCCESS; + + /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/ ++ ++ if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) { ++ record_attempt(args); ++ } else if (PAM_NO_MODULE_DATA != err) { ++ return err; ++ } + + if (args = malloc(sizeof(abl_args)), NULL == args) { + return PAM_BUF_ERR; diff --git a/security/pam_abl/files/patch-pam_abl.h b/security/pam_abl/files/patch-pam_abl.h new file mode 100644 index 000000000000..2d21d063997e --- /dev/null +++ b/security/pam_abl/files/patch-pam_abl.h @@ -0,0 +1,19 @@ +--- pam_abl.h.orig Wed Oct 12 21:22:27 2005 ++++ pam_abl.h Sat Jan 14 19:25:44 2006 +@@ -51,6 +51,7 @@ + #define __PAM_ABL_H + + #include <security/pam_modules.h> ++#include <security/pam_appl.h> + #include <db.h> + + #include <ctype.h> +@@ -74,7 +75,7 @@ + /* User purge time in seconds */ + #define USER_PURGE (HOURSECS * 24) + +-#define CONFIG "/etc/security/pam_abl.conf" ++#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf" + + typedef struct abl_string { + struct abl_string *link; diff --git a/security/pam_abl/files/patch-tools-Makefile b/security/pam_abl/files/patch-tools-Makefile new file mode 100644 index 000000000000..c79088740284 --- /dev/null +++ b/security/pam_abl/files/patch-tools-Makefile @@ -0,0 +1,26 @@ +--- tools/Makefile.orig Wed Oct 12 21:22:27 2005 ++++ tools/Makefile Sun Dec 11 00:22:30 2005 +@@ -1,18 +1,18 @@ + # Makefile + +-CFLAGS=-Wall +-LIBS=-ldb -lpthread ++CFLAGS=-Wall -I/usr/local/include ++LIBS=-L/usr/local/lib -ldb -lpthread + TARGET=pam_abl + OBJ=log.o config.o rule.o pam_abl.o +-INSTDIR=/usr/bin ++INSTDIR=%%PREFIX%%/sbin + + all : $(TARGET) + + $(TARGET) : $(OBJ) +- cc $(LIBS) -o $@ $^ ++ cc $(LIBS) -o $(TARGET) $(OBJ) + + install : $(TARGET) +- install --mode=755 --strip $(TARGET) $(INSTDIR) ++ install -m 755 -s $(TARGET) $(INSTDIR) + + clean : + rm -f $(TARGET) $(OBJ) diff --git a/security/pam_abl/files/pkg-deinstall.in b/security/pam_abl/files/pkg-deinstall.in new file mode 100644 index 000000000000..ce80b6017ea5 --- /dev/null +++ b/security/pam_abl/files/pkg-deinstall.in @@ -0,0 +1,38 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +PATH=/bin:/usr/bin:/usr/sbin + +case $2 in +DEINSTALL) + cd ${PKG_PREFIX}/etc || exit 1 + cmp -s -z pam_abl.conf pam_abl.conf.sample && rm pam_abl.conf + rmdir %%PAMABLDB%% 2>/dev/null + ;; +POST-DEINSTALL) + pam_files="$(grep -lR '^[^#]*pam_abl\.so' /etc/pam.d ${PKG_PREFIX}/etc/pam.d)" + echo "===> post-deinstallation information for $1:" + if [ -n "${pam_files}" ]; then + echo "" + echo " Warning: pam_able remain used for this services:" + for pam_file in ${pam_files}; do + echo " ${pam_file}" + done + fi + if [ -e ${PKG_PREFIX}/etc/pam_abl.conf -o -d %%PAMABLDB%% ]; then + echo "" + echo " To ease updates, the database directory and configuration" + echo " file modified by you were preserved." + echo "" + echo " Please remove them manually if you do not want to use" + echo " pam_abl any longer." + fi + echo "" + ;; +*) + exit 64 + ;; +esac +exit 0 diff --git a/security/pam_abl/files/pkg-message.in b/security/pam_abl/files/pkg-message.in new file mode 100644 index 000000000000..5b41e37ddf2d --- /dev/null +++ b/security/pam_abl/files/pkg-message.in @@ -0,0 +1,12 @@ +***************************************************************************** + +Read files in %%DOCSDIR%% for info on how to set up. + +***************************************************************************** + +To automatically purge pam_abl databases according to purge rules in config +add to your /etc/periodic.conf this line: + + daily_clean_pam_abl_enable="YES" + +***************************************************************************** diff --git a/security/pam_abl/files/pkg-plist.in b/security/pam_abl/files/pkg-plist.in new file mode 100644 index 000000000000..8b9ff7314101 --- /dev/null +++ b/security/pam_abl/files/pkg-plist.in @@ -0,0 +1,8 @@ +@comment $FreeBSD$ +etc/pam_abl.conf.sample +etc/periodic/daily/190.clean-pam-abl +lib/pam_abl.so +sbin/pam_abl +@exec mkdir -p %%PAMABLDB%% +@dirrmtry etc/periodic/daily +@dirrmtry etc/periodic diff --git a/security/pam_abl/pkg-descr b/security/pam_abl/pkg-descr new file mode 100644 index 000000000000..b283131f7748 --- /dev/null +++ b/security/pam_abl/pkg-descr @@ -0,0 +1,4 @@ +The pam_abl provides auto blacklisting of hosts and users +responsible for repeated failed authentication attempts. + +WWW: http://www.hexten.net/pam_abl/ |