login: add LOGIN_RETRIES, cleanup retries check code

Signed-off-by: Karel Zak <kzak@redhat.com>

2 files changed, 9 insertions, 3 deletions

diff --git a/login-utils/login.1 b/login-utils/login.1
index d5d372d88..26cd951ac 100644
--- a/login-utils/login.1
+++ b/login-utils/login.1
@@ -150,6 +150,11 @@ PAM module.
 Max time in seconds for login. The default value is 60.
 .RE
 .PP
+\fBLOGIN_RETRIES\fR (number)
+.RS 4
+Maximum number of login retries in case of bad password.
+.RE
+.PP
 \fBFAIL_DELAY\fR (number)
 .RS 4
 Delay in seconds before being allowed another three tries after a login
diff --git a/login-utils/login.c b/login-utils/login.c
index 80d287d97..84d8b1bdb 100644
--- a/login-utils/login.c
+++ b/login-utils/login.c
@@ -761,7 +761,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt)
 
 static void loginpam_auth(struct login_context *cxt)
 {
-	int rc, failcount = 0, show_unknown;
+	int rc, failcount = 0, show_unknown, retries;
 	const char *hostname = cxt->hostname ? cxt->hostname :
 			       cxt->tty_name ? cxt->tty_name : "<unknown>";
 	pam_handle_t *pamh = cxt->pamh;
@@ -770,17 +770,18 @@ static void loginpam_auth(struct login_context *cxt)
 	loginpam_get_username(pamh, &cxt->username);
 
 	show_unknown = getlogindefs_bool("LOG_UNKFAIL_ENAB", 0);
+	retries = getlogindefs_num("LOGIN_RETRIES", LOGIN_MAX_TRIES);
 
 	/*
 	 * There may be better ways to deal with some of these conditions, but
 	 * at least this way I don't think we'll be giving away information...
 	 *
 	 * Perhaps someday we can trust that all PAM modules will pay attention
-	 * to failure count and get rid of MAX_LOGIN_TRIES?
+	 * to failure count and get rid of LOGIN_MAX_TRIES?
 	 */
 	rc = pam_authenticate(pamh, 0);
 
-	while ((failcount++ < LOGIN_MAX_TRIES) &&
+	while ((++failcount < retries) &&
 	       ((rc == PAM_AUTH_ERR) ||
 		(rc == PAM_USER_UNKNOWN) ||
 		(rc == PAM_CRED_INSUFFICIENT) ||