version 1.36, 2001/05/29 21:39:26 |
version 1.37, 2001/06/19 16:21:49 |
|
|
#define TTYGRPNAME "tty" /* name of group to own ttys */ |
#define TTYGRPNAME "tty" /* name of group to own ttys */ |
|
|
/* |
/* |
* This bounds the time given to login. Not a define so it can |
* This bounds the time given to login; may be overridden by /etc/login.conf. |
* be patched on machines where it's too small. |
|
* XXX - should be a login.conf variable! |
|
*/ |
*/ |
u_int timeout = 300; |
u_int timeout = 300; |
|
|
|
|
quad_t expire, warning; |
quad_t expire, warning; |
uid_t uid; |
uid_t uid; |
int ask, ch, cnt, fflag, pflag, quietlog, rootlogin, lastchance; |
int ask, ch, cnt, fflag, pflag, quietlog, rootlogin, lastchance; |
int error, homeless, needto, authok; |
int error, homeless, needto, authok, tries, backoff; |
char *domain, *p, *ttyn, *shell, *fullname, *instance; |
char *domain, *p, *ttyn, *shell, *fullname, *instance; |
char *lipaddr, *script, *ripaddr, *style, *type, *fqdn, *copyright; |
char *lipaddr, *script, *ripaddr, *style, *type, *fqdn, *copyright; |
char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; |
char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; |
|
|
|
|
openlog("login", LOG_ODELAY, LOG_AUTH); |
openlog("login", LOG_ODELAY, LOG_AUTH); |
|
|
fqdn = lipaddr = ripaddr = fullname = NULL; |
fqdn = lipaddr = ripaddr = fullname = type = NULL; |
|
authok = 0; |
|
tries = 10; |
|
backoff = 3; |
|
|
/* |
/* |
* Since login deals with sensitive information, turn off coredumps. |
* Since login deals with sensitive information, turn off coredumps. |
|
|
warnx("Failure to retrieve default class"); |
warnx("Failure to retrieve default class"); |
quickexit(1); |
quickexit(1); |
} |
} |
|
timeout = (u_int)login_getcapnum(lc, "login-timeout", 300, 300); |
if ((script = login_getcapstr(lc, "classify", NULL, NULL)) != NULL) { |
if ((script = login_getcapstr(lc, "classify", NULL, NULL)) != NULL) { |
unsetenv("AUTH_TYPE"); |
unsetenv("AUTH_TYPE"); |
unsetenv("REMOTE_NAME"); |
unsetenv("REMOTE_NAME"); |
|
|
} |
} |
|
|
lc = login_getclass(pwd ? pwd->pw_class : NULL); |
lc = login_getclass(pwd ? pwd->pw_class : NULL); |
|
|
if (!lc) |
if (!lc) |
goto failed; |
goto failed; |
|
|
style = login_getstyle(lc, style, type); |
style = login_getstyle(lc, style, type); |
|
|
if (!style) |
if (!style) |
goto failed; |
goto failed; |
|
|
/* |
/* |
|
* We allow "login-tries" attempts to login but start |
|
* slowing down after "login-backoff" attempts. |
|
*/ |
|
tries = (int)login_getcapnum(lc, "login-tries", 10, 10); |
|
backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3); |
|
|
|
/* |
* Turn off the fflag if we have an an invalid user |
* Turn off the fflag if we have an an invalid user |
* or we are not root and we are trying to change uids. |
* or we are not root and we are trying to change uids. |
*/ |
*/ |
|
|
failures++; |
failures++; |
if (pwd) |
if (pwd) |
log_failedlogin(pwd->pw_uid, hostname, rusername, tty); |
log_failedlogin(pwd->pw_uid, hostname, rusername, tty); |
/* we allow 10 tries, but after 3 we start backing off */ |
/* |
/* XXX - should be configurable */ |
* By default, we allow 10 tries, but after 3 we start |
if (++cnt > 3) { |
* backing off to slow down password guessers. |
if (cnt >= 10) { |
*/ |
|
if (++cnt > backoff) { |
|
if (cnt >= tries) { |
badlogin(username); |
badlogin(username); |
sleepexit(1); |
sleepexit(1); |
} |
} |
sleep((u_int)((cnt - 3) * 5)); |
sleep((u_int)((cnt - backoff) * tries / 2)); |
} |
} |
} |
} |
|
|
|
|
int signo; |
int signo; |
{ |
{ |
(void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); |
(void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); |
|
if (username) |
|
badlogin(username); |
exit(0); |
exit(0); |
} |
} |
|
|