Pluggable Authentication Modules

Andy Armstrong | 1 Jan 2005 22:32

Is this a reasonable approach?

Hi folks and happy new year,

I'm writing a PAM module that will allow me to reject connections from 
remote hosts that have been responsible a large number of failed login 
attempts. I've pretty much got working code but I'm agonising over the 
best way to log failed attempts.

I can get something working by flagging a request as potentially failed 
during auth processing and then clearing that flag if we get as far as 
session processing. I'd use pam_set_data() effectively for the side 
effect of giving me a callback to the cleanup routine which is where I'd 
actually record the success or failure of the login attempt (in a DBM 
database).

I assume that'll work in which case it'll scratch my immediate itch but 
I also assume that it's not the cleanest way to detect a failed auth 
attempt. Can anyone recommend a nicer approach?

--

-- 
Andy Armstrong

William.Cormack | 2 Jan 2005 18:05

William Cormack/FRB07 is out of the office.

I will be out of the office starting  12/31/2004 and will not return until
01/03/2005.

I will respond to your message when I return.

Andy Armstrong | 3 Jan 2005 22:05

Re: Is this a reasonable approach?

Andy Armstrong wrote:
> Hi folks and happy new year,
> 
> I'm writing a PAM module that will allow me to reject connections from 
> remote hosts that have been responsible a large number of failed login 
> attempts. I've pretty much got working code but I'm agonising over the 
> best way to log failed attempts.
> 
> I can get something working by flagging a request as potentially failed 
> during auth processing and then clearing that flag if we get as far as 
> session processing. I'd use pam_set_data() effectively for the side 
> effect of giving me a callback to the cleanup routine which is where I'd 
> actually record the success or failure of the login attempt (in a DBM 
> database).
> 
> I assume that'll work in which case it'll scratch my immediate itch but 
> I also assume that it's not the cleanest way to detect a failed auth 
> attempt. Can anyone recommend a nicer approach?

The module is complete and working now. It successfully rejects auth 
attempts from hosts that are responsible for excessive authentication 
failures according to a configurable set of rules.

It still needs to function both as an auth and a session module to find 
out whether authentication was ultimately successful so you end up with 
a config like this (this is my /etc/pam.d/system-auth):

auth        required      /lib/security/$ISA/pam_abl.so \
                                       config=/etc/pam_abl.conf
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok

(Continue reading)

Digant C Kasundra | 3 Jan 2005 22:23

Picon

Re: Is this a reasonable approach?

That's exciting!  I'm definately interested in giving it a try.  Where
can I get it at?

On Mon, 2005-01-03 at 15:05, Andy Armstrong wrote:
> Andy Armstrong wrote:
> > Hi folks and happy new year,
> > 
> > I'm writing a PAM module that will allow me to reject connections from 
> > remote hosts that have been responsible a large number of failed login 
> > attempts. I've pretty much got working code but I'm agonising over the 
> > best way to log failed attempts.
> > 
> > I can get something working by flagging a request as potentially failed 
> > during auth processing and then clearing that flag if we get as far as 
> > session processing. I'd use pam_set_data() effectively for the side 
> > effect of giving me a callback to the cleanup routine which is where I'd 
> > actually record the success or failure of the login attempt (in a DBM 
> > database).
> > 
> > I assume that'll work in which case it'll scratch my immediate itch but 
> > I also assume that it's not the cleanest way to detect a failed auth 
> > attempt. Can anyone recommend a nicer approach?
> 
> The module is complete and working now. It successfully rejects auth 
> attempts from hosts that are responsible for excessive authentication 
> failures according to a configurable set of rules.
> 
> It still needs to function both as an auth and a session module to find 
> out whether authentication was ultimately successful so you end up with 
> a config like this (this is my /etc/pam.d/system-auth):

(Continue reading)

Andy Armstrong | 3 Jan 2005 22:26

Re: Is this a reasonable approach?

Digant C Kasundra wrote:

> That's exciting!  I'm definately interested in giving it a try.  Where
> can I get it at?

Well if you want to try it right now I'll knock together some quick 
instructions and mail it to you :)

--

-- 
Andy Armstrong

Jason DiCioccio | 3 Jan 2005 23:31

Picon

Re: Is this a reasonable approach?

Andy,

On Mon, 03 Jan 2005 21:26:00 +0000, Andy Armstrong <andy <at> hexten.net> wrote:
> Digant C Kasundra wrote:
> 
> > That's exciting!  I'm definately interested in giving it a try.  Where
> > can I get it at?
> 
> Well if you want to try it right now I'll knock together some quick
> instructions and mail it to you :)

I'd love a copy as well if you could 

Thanks!
-JD-

Andy Armstrong | 3 Jan 2005 23:37

Re: Is this a reasonable approach?

Jason DiCioccio wrote:
>>Well if you want to try it right now I'll knock together some quick
>>instructions and mail it to you :)
> 
> I'd love a copy as well if you could 

Aha! Unexpected demand :)

I'm just writing a command line tool that lets you inspect and modify 
the status of failed login attempts. I should have that done in an hour 
or so. Then sleep I think, but tomorrow morning (UK time) I'll write 
some documentation and get the code out to you.

--

-- 
Andy Armstrong

Digant C Kasundra | 3 Jan 2005 23:48

Picon

Re: Is this a reasonable approach?

Look forward to it.  I'm also told that the pam_laus stuff might already
do something similar.  Can anyone elaborate on that module?

On Mon, 2005-01-03 at 16:37, Andy Armstrong wrote:
> Jason DiCioccio wrote:
> >>Well if you want to try it right now I'll knock together some quick
> >>instructions and mail it to you :)
> > 
> > I'd love a copy as well if you could 
> 
> Aha! Unexpected demand :)
> 
> I'm just writing a command line tool that lets you inspect and modify 
> the status of failed login attempts. I should have that done in an hour 
> or so. Then sleep I think, but tomorrow morning (UK time) I'll write 
> some documentation and get the code out to you.

Tomas Mraz | 4 Jan 2005 09:54

Picon

Re: Is this a reasonable approach?

On Mon, 2005-01-03 at 21:05 +0000, Andy Armstrong wrote:

> If anyone can give me any insight as to how to avoid the need to the 
> session hook I'd be gratful.

If you look at the pam_tally module - it actually works similarly.
However it uses account phase for that instead. The problem is that some
applications can theoretically avoid to use the session phase if they
don't create a session. Maybe you could call this functionality from
pam_sm_acct_mgmt too and leave it on the user to which phase he wants to
put it.

There is probably no way how to avoid the session hook. You could also
use cleanup function on pam module data because this function has
parameter with the final success/failure code, but it's called after the
session is closed and the program can exit (due to program's error or
kill) and don't call pam_end before that.

--

-- 
Tomas Mraz <tmraz <at> redhat.com>

Andy Armstrong | 4 Jan 2005 10:15

Re: Is this a reasonable approach?

Tomas Mraz wrote:
>>If anyone can give me any insight as to how to avoid the need to the 
>>session hook I'd be gratful.
> 
> If you look at the pam_tally module - it actually works similarly.
> However it uses account phase for that instead. The problem is that some
> applications can theoretically avoid to use the session phase if they
> don't create a session. Maybe you could call this functionality from
> pam_sm_acct_mgmt too and leave it on the user to which phase he wants to
> put it.

Ah yes - that sounds more sensible, thanks.

> There is probably no way how to avoid the session hook. You could also
> use cleanup function on pam module data because this function has
> parameter with the final success/failure code, but it's called after the
> session is closed and the program can exit (due to program's error or
> kill) and don't call pam_end before that.

Ah, the cleanup hook. I think that would do the trick thanks. I don't 
think the case where the program dies without the cleanup happening is 
too much of a problem for me so that could be the answer, thanks.

I'll make some changes to the code and run the tests again and then make 
a release. Thanks for the help.

--

-- 
Andy Armstrong

Group

gmane.linux.pam.

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9

Articles in period: 82

January 2005

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

managing the /etc/pam.d files (23 May 2013)
Differences in Conversation function between distributions? (30 Apr 2013)
Question about 'session' in pam w/rt pam_env.so (22 Apr 2013)
changing password prompt (22 Mar 2013)
are there "session IDs"? (19 Mar 2013)
pam modules and setuid actions (12 Mar 2013)
pam modules and setuid actions (12 Mar 2013)
Using PAM in setuid processes (24 Jan 2013)
Can I set the user to authenticate as? (8 Jan 2013)
Can I set the user to authenticate as? (5 Jan 2013)
dlopen not able to open shared object file, even though it is existing (8 Dec 2012)
shared library loading flags (6 Dec 2012)
pam-1.1.1-10.el6_2.1.x86_64 and pam_tty_audit (21 Nov 2012)
How can I know the PAM version? (6 Nov 2012)
Get the service which succeeds. (22 Sep 2012)
Get access to my pictures and more (20 Sep 2012)
..:: VSFTP - PAM - RADIUS ::.. (18 Sep 2012)
mod_auth_pam and httpd 2.4.2 (12 Sep 2012)
Pam_access and netgroups (27 Aug 2012)
pam_unix.so and unix_chkpw setgid - does it work for regular users? (2 Aug 2012)
libpam-ldapd and group restriction (6 Jul 2012)

Archives

3	May 2013
2	April 2013
11	March 2013
6	January 2013
6	December 2012
121	November 2012
7	September 2012
7	August 2012
1	July 2012
1	June 2012
2	April 2012
9	March 2012
8	January 2012
15	December 2011
15	November 2011
21	October 2011
7	September 2011
7	August 2011
21	July 2011
14	June 2011
7	May 2011
1	April 2011
6	March 2011
4	February 2011
10	January 2011
21	December 2010
3	November 2010
7	October 2010
1	August 2010
9	July 2010
18	June 2010
11	May 2010
1	April 2010
7	March 2010
14	February 2010
7	January 2010
14	December 2009
3	November 2009
32	October 2009
7	September 2009
36	August 2009
33	July 2009
14	June 2009
5	May 2009
23	April 2009
30	March 2009
23	February 2009
14	January 2009
6	December 2008
21	November 2008
44	October 2008
23	September 2008
4	August 2008
33	July 2008
48	June 2008
24	May 2008
43	April 2008
27	March 2008
18	February 2008
21	January 2008
35	December 2007
38	November 2007
35	October 2007
66	September 2007
39	August 2007
37	July 2007
24	June 2007
15	May 2007
44	April 2007
62	March 2007
20	February 2007
24	January 2007
21	December 2006
19	November 2006
19	October 2006
27	September 2006
14	August 2006
30	July 2006
14	June 2006
32	May 2006
29	April 2006
20	March 2006
30	February 2006
59	January 2006
24	December 2005
29	November 2005
79	October 2005
35	September 2005
12	August 2005
24	July 2005
27	June 2005
24	May 2005
29	April 2005
29	March 2005
44	February 2005
82	January 2005
25	December 2004
64	November 2004
53	October 2004
74	September 2004
45	August 2004
31	July 2004
83	June 2004
66	May 2004
28	April 2004
41	March 2004
70	February 2004
22	January 2004
54	December 2003
29	November 2003
47	October 2003
89	September 2003
44	August 2003
56	July 2003
34	June 2003
85	May 2003
93	April 2003
65	March 2003
84	February 2003
56	January 2003
77	December 2002
51	November 2002
30	October 2002
59	September 2002
76	August 2002
71	July 2002
80	June 2002
112	May 2002
80	April 2002
31	March 2002
1	February 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template