From fab1f6717e5b90755dd30dd37eceec3d14526ee6 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Fri, 10 Feb 2012 14:47:59 +0100 Subject: [PATCH] login: add LOGIN_RETRIES, cleanup retries check code Signed-off-by: Karel Zak --- login-utils/login.1 | 5 +++++ login-utils/login.c | 7 ++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/login-utils/login.1 b/login-utils/login.1 index d5d372d88b..26cd951acf 100644 --- a/login-utils/login.1 +++ b/login-utils/login.1 @@ -150,6 +150,11 @@ PAM module. Max time in seconds for login. The default value is 60. .RE .PP +\fBLOGIN_RETRIES\fR (number) +.RS 4 +Maximum number of login retries in case of bad password. +.RE +.PP \fBFAIL_DELAY\fR (number) .RS 4 Delay in seconds before being allowed another three tries after a login diff --git a/login-utils/login.c b/login-utils/login.c index 80d287d97c..84d8b1bdbc 100644 --- a/login-utils/login.c +++ b/login-utils/login.c @@ -761,7 +761,7 @@ static pam_handle_t *init_loginpam(struct login_context *cxt) static void loginpam_auth(struct login_context *cxt) { - int rc, failcount = 0, show_unknown; + int rc, failcount = 0, show_unknown, retries; const char *hostname = cxt->hostname ? cxt->hostname : cxt->tty_name ? cxt->tty_name : ""; pam_handle_t *pamh = cxt->pamh; @@ -770,17 +770,18 @@ static void loginpam_auth(struct login_context *cxt) loginpam_get_username(pamh, &cxt->username); show_unknown = getlogindefs_bool("LOG_UNKFAIL_ENAB", 0); + retries = getlogindefs_num("LOGIN_RETRIES", LOGIN_MAX_TRIES); /* * There may be better ways to deal with some of these conditions, but * at least this way I don't think we'll be giving away information... * * Perhaps someday we can trust that all PAM modules will pay attention - * to failure count and get rid of MAX_LOGIN_TRIES? + * to failure count and get rid of LOGIN_MAX_TRIES? */ rc = pam_authenticate(pamh, 0); - while ((failcount++ < LOGIN_MAX_TRIES) && + while ((++failcount < retries) && ((rc == PAM_AUTH_ERR) || (rc == PAM_USER_UNKNOWN) || (rc == PAM_CRED_INSUFFICIENT) || -- 2.47.2