in shadow-4.1.5.1/src/login.c , which reads /etc/login.defs for FAILLOG_ENAB

#ifndef USE_PAM
                motd ();        /* print the message of the day */
                if (   getdef_bool ("FAILLOG_ENAB")
                    && (0 != faillog.fail_cnt)) {
                        failprint (&faillog);
                        /* Reset the lockout times if logged in */
                        if (   (0 != faillog.fail_max)
                            && (faillog.fail_cnt >= faillog.fail_max)) {
                                (void) puts (_("Warning: login re-enabled after temporary lockout."));
                                SYSLOG ((LOG_WARN,
                                         "login '%s' re-enabled after temporary lockout (%d failures)",
                                         username, (int) faillog.fail_cnt));
                        }
                }

etc...

Does anyone know why this segment of code is unused when USE_PAM is defined??

Le Dimanche 10 novembre 2013 23h18, Max B <txtmb@yahoo.fr> a écrit :

PS:

http://pkg-shadow.alioth.debian.org/coverage/shadow-4.1.5.1/libmisc/failure.c.gcov.frameset.html

the string appears to be in the 'shadow' system.

has the failure.c file been removed or modified from debian?

Le Dimanche 10 novembre 2013 22h02, Max B <txtmb@yahoo.fr> a écrit :

Thanks for the reply, Andy.

I just checked http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html , specifically, sec 4.11.*

** Please note that SULOG_FILE is mentioned NOWHERE in that document, and ought to be in 4.11.3.

The different behaviour of Debian 5.0 and 7, as mentioned earlier in thread, is mentioned nowhere that I could see.

Debian 5.0 announces upon login that

%d failure since last login

where %d >0; else no notification

Debian 7 does not check this information, AFAIK.

I managed to grep a mention of "pam_lastlog.so" in /etc/pam.d/login , but this appears not to function as above in Debian 5.0, so I am mystified as to how Debian 5.0 is able to report on the number of failures since last login.

The sections of /etc/login.defs regarding "btmp" are identical in deb 5.0 and deb 7 , so it isn't that.

There are some changes (additions) to the /etc/pam.d/common-* files, but you'd need to be an expert in pam, which I'm not.

It shouldn't be this difficult to add '%d failure since last login' right before the motd to Debian 7, but I'm afraid it is for me.

Cheers

Le Dimanche 10 novembre 2013 20h17, Andy Smith <andy@bitfolk.com> a écrit :

Hello Max,

On Sun, Nov 10, 2013 at 07:11:33PM +0000, Max B wrote:
> I just noticed (and was perturbed by) the fact that, under Debian 7, the number of failures since last login is unavailable at the login.
>
> The default under Debian 5.0 seems to have been set to report the number of failures since last login (if there were any).

I haven't really noticed the difference. Does section 4.11.3 of this
not cover it then?

http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

Cheers,

Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users