diff options
| author | Karel Zak | 2011-10-06 00:30:45 +0200 |
|---|---|---|
| committer | Karel Zak | 2011-10-26 23:17:17 +0200 |
| commit | cea8ec53de95a08d2503706f40d8dfafc14a15e8 (patch) | |
| tree | fc0956d004dc14adbd1f625fa73f79f2b9990330 /login-utils | |
| parent | login: use DEFAULT_HOME from login.defs (diff) | |
| download | kernel-qcow2-util-linux-cea8ec53de95a08d2503706f40d8dfafc14a15e8.tar.gz kernel-qcow2-util-linux-cea8ec53de95a08d2503706f40d8dfafc14a15e8.tar.xz kernel-qcow2-util-linux-cea8ec53de95a08d2503706f40d8dfafc14a15e8.zip | |
login: use LOG_UNKFAIL_ENAB from login.defs, improve logging
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils')
| -rw-r--r-- | login-utils/login.1 | 9 | ||||
| -rw-r--r-- | login-utils/login.c | 29 |
2 files changed, 31 insertions, 7 deletions
diff --git a/login-utils/login.1 b/login-utils/login.1 index ca7c4b3a4..948177c81 100644 --- a/login-utils/login.1 +++ b/login-utils/login.1 @@ -182,7 +182,14 @@ Indicate if login is allowed if we can\'t cd to the home directory. If set to \fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory. The default value is 'yes'. .RE - +.PP +\fBLOG_UNKFAIL_ENAB\fR (boolean) +.RS 4 +Enable display of unknown usernames when login failures are recorded\&. +.sp +Note that logging unknown usernames may be a security issue if an user enter +her password instead of her login name. +.RE .SH FILES .nf .I /var/run/utmp diff --git a/login-utils/login.c b/login-utils/login.c index c9ae19f63..e44aa5fc6 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -711,12 +711,16 @@ static pam_handle_t *init_loginpam(struct login_context *cxt) static void loginpam_auth(struct login_context *cxt) { - int rc, failcount = 0; + int rc, failcount = 0, show_unknown; + const char *hostname = cxt->hostname ? cxt->hostname : + cxt->tty_name ? cxt->tty_name : "<unknown>"; pam_handle_t *pamh = cxt->pamh; /* if we didn't get a user on the command line, set it to NULL */ loginpam_get_username(pamh, &cxt->username); + show_unknown = getlogindefs_bool("LOG_UNKFAIL_ENAB", 0); + /* * There may be better ways to deal with some of these conditions, but * at least this way I don't think we'll be giving away information... @@ -732,11 +736,19 @@ static void loginpam_auth(struct login_context *cxt) (rc == PAM_CRED_INSUFFICIENT) || (rc == PAM_AUTHINFO_UNAVAIL))) { - loginpam_get_username(pamh, &cxt->username); + if (rc == PAM_USER_UNKNOWN && !show_unknown) + /* + * logging unknown usernames may be a security issue if + * an user enter her password instead of her login name + */ + cxt->username = NULL; + else + loginpam_get_username(pamh, &cxt->username); syslog(LOG_NOTICE, _("FAILED LOGIN %d FROM %s FOR %s, %s"), - failcount, cxt->hostname, cxt->username, + failcount, hostname, + cxt->username ? cxt->username : "(unknown)", pam_strerror(pamh, rc)); log_btmp(cxt); @@ -750,17 +762,22 @@ static void loginpam_auth(struct login_context *cxt) if (is_pam_failure(rc)) { - loginpam_get_username(pamh, &cxt->username); + if (rc == PAM_USER_UNKNOWN && !show_unknown) + cxt->username = NULL; + else + loginpam_get_username(pamh, &cxt->username); if (rc == PAM_MAXTRIES) syslog(LOG_NOTICE, _("TOO MANY LOGIN TRIES (%d) FROM %s FOR %s, %s"), - failcount, cxt->hostname, cxt->username, + failcount, hostname, + cxt->username ? cxt->username : "(unknown)", pam_strerror(pamh, rc)); else syslog(LOG_NOTICE, _("FAILED LOGIN SESSION FROM %s FOR %s, %s"), - cxt->hostname, cxt->username, + hostname, + cxt->username ? cxt->username : "(unknown)", pam_strerror(pamh, rc)); log_btmp(cxt); |