login: do reject wrong passwords with PAM auth
This commit is contained in:
parent
9862e6b056
commit
82f3b16713
@ -307,18 +307,26 @@ int login_main(int argc, char **argv)
|
|||||||
goto pam_auth_failed;
|
goto pam_auth_failed;
|
||||||
}
|
}
|
||||||
pamret = pam_authenticate(pamh, 0);
|
pamret = pam_authenticate(pamh, 0);
|
||||||
if (pamret == PAM_SUCCESS) {
|
if (pamret != PAM_SUCCESS) {
|
||||||
char *pamuser;
|
failed_msg = "pam_authenticate";
|
||||||
/* check that the account is healthy. */
|
goto pam_auth_failed;
|
||||||
|
/* TODO: or just "goto auth_failed"
|
||||||
|
* since user seems to enter wrong password
|
||||||
|
* (in this case pamret == 7)
|
||||||
|
*/
|
||||||
|
}
|
||||||
|
/* check that the account is healthy */
|
||||||
pamret = pam_acct_mgmt(pamh, 0);
|
pamret = pam_acct_mgmt(pamh, 0);
|
||||||
if (pamret != PAM_SUCCESS) {
|
if (pamret != PAM_SUCCESS) {
|
||||||
failed_msg = "account setup";
|
failed_msg = "account setup";
|
||||||
goto pam_auth_failed;
|
goto pam_auth_failed;
|
||||||
}
|
}
|
||||||
/* read user back */
|
/* read user back */
|
||||||
|
{
|
||||||
|
const char *pamuser;
|
||||||
/* gcc: "dereferencing type-punned pointer breaks aliasing rules..."
|
/* gcc: "dereferencing type-punned pointer breaks aliasing rules..."
|
||||||
* thus we use double cast */
|
* thus we cast to (void*) */
|
||||||
if (pam_get_item(pamh, PAM_USER, (const void **)(void*)&pamuser) != PAM_SUCCESS) {
|
if (pam_get_item(pamh, PAM_USER, (void*)&pamuser) != PAM_SUCCESS) {
|
||||||
failed_msg = "pam_get_item(USER)";
|
failed_msg = "pam_get_item(USER)";
|
||||||
goto pam_auth_failed;
|
goto pam_auth_failed;
|
||||||
}
|
}
|
||||||
@ -331,7 +339,7 @@ int login_main(int argc, char **argv)
|
|||||||
break;
|
break;
|
||||||
goto auth_failed;
|
goto auth_failed;
|
||||||
pam_auth_failed:
|
pam_auth_failed:
|
||||||
bb_error_msg("%s failed: %s", failed_msg, pam_strerror(pamh, pamret));
|
bb_error_msg("%s failed: %s (%d)", failed_msg, pam_strerror(pamh, pamret), pamret);
|
||||||
safe_strncpy(username, "UNKNOWN", sizeof(username));
|
safe_strncpy(username, "UNKNOWN", sizeof(username));
|
||||||
#else /* not PAM */
|
#else /* not PAM */
|
||||||
pw = getpwnam(username);
|
pw = getpwnam(username);
|
||||||
@ -360,6 +368,7 @@ int login_main(int argc, char **argv)
|
|||||||
auth_failed:
|
auth_failed:
|
||||||
opt &= ~LOGIN_OPT_f;
|
opt &= ~LOGIN_OPT_f;
|
||||||
bb_do_delay(FAIL_DELAY);
|
bb_do_delay(FAIL_DELAY);
|
||||||
|
/* TODO: doesn't sound like correct English phrase to me */
|
||||||
puts("Login incorrect");
|
puts("Login incorrect");
|
||||||
if (++count == 3) {
|
if (++count == 3) {
|
||||||
syslog(LOG_WARNING, "invalid password for '%s'%s",
|
syslog(LOG_WARNING, "invalid password for '%s'%s",
|
||||||
|
Loading…
Reference in New Issue
Block a user