diff options
-rw-r--r-- | login-utils/login.1 | 5 | ||||
-rw-r--r-- | login-utils/login.c | 7 |
2 files changed, 9 insertions, 3 deletions
diff --git a/login-utils/login.1 b/login-utils/login.1 index d5d372d88..26cd951ac 100644 --- a/login-utils/login.1 +++ b/login-utils/login.1 @@ -150,6 +150,11 @@ PAM module. Max time in seconds for login. The default value is 60. .RE .PP +\fBLOGIN_RETRIES\fR (number) +.RS 4 +Maximum number of login retries in case of bad password. +.RE +.PP \fBFAIL_DELAY\fR (number) .RS 4 Delay in seconds before being allowed another three tries after a login diff --git a/login-utils/login.c b/login-utils/login.c index 80d287d97..84d8b1bdb 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -761,7 +761,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt) static void loginpam_auth(struct login_context *cxt) { - int rc, failcount = 0, show_unknown; + int rc, failcount = 0, show_unknown, retries; const char *hostname = cxt->hostname ? cxt->hostname : cxt->tty_name ? cxt->tty_name : "<unknown>"; pam_handle_t *pamh = cxt->pamh; @@ -770,17 +770,18 @@ static void loginpam_auth(struct login_context *cxt) loginpam_get_username(pamh, &cxt->username); show_unknown = getlogindefs_bool("LOG_UNKFAIL_ENAB", 0); + retries = getlogindefs_num("LOGIN_RETRIES", LOGIN_MAX_TRIES); /* * There may be better ways to deal with some of these conditions, but * at least this way I don't think we'll be giving away information... * * Perhaps someday we can trust that all PAM modules will pay attention - * to failure count and get rid of MAX_LOGIN_TRIES? + * to failure count and get rid of LOGIN_MAX_TRIES? */ rc = pam_authenticate(pamh, 0); - while ((failcount++ < LOGIN_MAX_TRIES) && + while ((++failcount < retries) && ((rc == PAM_AUTH_ERR) || (rc == PAM_USER_UNKNOWN) || (rc == PAM_CRED_INSUFFICIENT) || |