[PATCH 2/2] login: improve login delays after invalid attempts

Wed, 14 Apr 2021 04:27:52 -0700 

From: Hemmo Nieminen <hemmo.niemi...@kone.com>

Support increasing delays after invalid login attempts even when not
using PAM. Use libbb's tally to count invalid login attempts and increase
the length of the pause after invalid login attempt accordingly. Reset
pause length upon successful login.

Signed-off-by: Hemmo Nieminen <hemmo.niemi...@kone.com>
---
 include/libbb.h      |  7 ++++++-
 libbb/bb_do_delay.c  | 32 +++++++++++++++++++++-----------
 loginutils/login.c   |  5 ++++-
 loginutils/passwd.c  |  2 +-
 loginutils/su.c      |  2 +-
 loginutils/sulogin.c |  2 +-
 loginutils/vlock.c   |  2 +-
 7 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/include/libbb.h b/include/libbb.h
index 6880480e0..b565fd2c0 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1636,7 +1636,12 @@ char *bb_simplify_path(const char *path) FAST_FUNC;
 /* Returns ptr to NUL */
 char *bb_simplify_abs_path_inplace(char *path) FAST_FUNC;
 
-void pause_after_failed_login(void) FAST_FUNC;
+void pause_after_failed_login(char const *tty) FAST_FUNC;
+#if ENABLE_FEATURE_TALLY
+void pause_reset_after_successful_login(char const *tty) FAST_FUNC;
+#else
+#define pause_reset_after_successful_login(...)
+#endif
 void bb_do_delay(unsigned seconds) FAST_FUNC;
 void msleep(unsigned ms) FAST_FUNC;
 void sleep1(void) FAST_FUNC;
diff --git a/libbb/bb_do_delay.c b/libbb/bb_do_delay.c
index 9a84fa24b..a63de083c 100644
--- a/libbb/bb_do_delay.c
+++ b/libbb/bb_do_delay.c
@@ -12,21 +12,31 @@
 
 #ifndef LOGIN_FAIL_DELAY
 #define LOGIN_FAIL_DELAY 3
+#define LOGIN_TALLY_PATH "/tmp/.login_tally"
 #endif
-void FAST_FUNC pause_after_failed_login(void)
+
+#if ENABLE_FEATURE_TALLY
+void FAST_FUNC pause_reset_after_successful_login(char const *tty)
 {
-#if 0 /* over-engineered madness */
-       time_t end, diff;
+       if (tty)
+               bb_tally_reset(LOGIN_TALLY_PATH, tty);
+}
+#endif
 
-       end = time(NULL) + LOGIN_FAIL_DELAY;
-       diff = LOGIN_FAIL_DELAY;
-       do {
-               sleep(diff);
-               diff = end - time(NULL);
-       } while (diff > 0);
-#else
-       sleep(LOGIN_FAIL_DELAY);
+void FAST_FUNC pause_after_failed_login(char const *tty)
+{
+#if ENABLE_FEATURE_TALLY
+       if (tty) {
+               int mult = bb_tally_add(LOGIN_TALLY_PATH, tty);
+
+               if (mult > 1) {
+                       sleep(LOGIN_FAIL_DELAY * mult);
+                       return;
+               }
+       }
 #endif
+
+       sleep(LOGIN_FAIL_DELAY);
 }
 
 void FAST_FUNC sleep1(void)
diff --git a/loginutils/login.c b/loginutils/login.c
index 66ac7cf4c..cc90638c6 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -508,11 +508,14 @@ int login_main(int argc UNUSED_PARAM, char **argv)
                 * If we get interrupted by SIGALRM, we need to restore attrs.
                 */
                if (ask_and_check_password(pw) > 0)
+               {
+                       pause_reset_after_successful_login(full_tty);
                        break;
+               }
 #endif /* ENABLE_PAM */
  auth_failed:
                opt &= ~LOGIN_OPT_f;
-               pause_after_failed_login();
+               pause_after_failed_login(full_tty);
                /* TODO: doesn't sound like correct English phrase to me */
                puts("Login incorrect");
                syslog(LOG_WARNING, "invalid password for '%s'%s",
diff --git a/loginutils/passwd.c b/loginutils/passwd.c
index acc942275..f15e1355f 100644
--- a/loginutils/passwd.c
+++ b/loginutils/passwd.c
@@ -57,7 +57,7 @@ static char* new_password(const struct passwd *pw, uid_t 
myuid, const char *algo
                encrypted = pw_encrypt(orig, pw->pw_passwd, 1); /* returns 
malloced str */
                if (strcmp(encrypted, pw->pw_passwd) != 0) {
                        syslog(LOG_WARNING, "incorrect password for %s", 
pw->pw_name);
-                       pause_after_failed_login();
+                       pause_after_failed_login(NULL);
                        puts("Incorrect password");
                        goto err_ret;
                }
diff --git a/loginutils/su.c b/loginutils/su.c
index 784a53552..7d83757dc 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -146,7 +146,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
                if (ENABLE_FEATURE_SU_SYSLOG)
                        syslog(LOG_NOTICE, "%c %s %s:%s",
                                '-', tty, old_user, opt_username);
-               pause_after_failed_login();
+               pause_after_failed_login(NULL);
                bb_simple_error_msg_and_die("incorrect password");
        }
 
diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c
index 69d8b5ec7..bc5ed2a1d 100644
--- a/loginutils/sulogin.c
+++ b/loginutils/sulogin.c
@@ -74,7 +74,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv)
                if (r > 0) {
                        break;
                }
-               pause_after_failed_login();
+               pause_after_failed_login(NULL);
                bb_simple_info_msg("Login incorrect");
        }
 
diff --git a/loginutils/vlock.c b/loginutils/vlock.c
index 334b7d2ad..af9064f51 100644
--- a/loginutils/vlock.c
+++ b/loginutils/vlock.c
@@ -120,7 +120,7 @@ int vlock_main(int argc UNUSED_PARAM, char **argv)
                if (ask_and_check_password(pw) > 0) {
                        break;
                }
-               pause_after_failed_login();
+               pause_after_failed_login(NULL);
                puts("Incorrect password");
        }
 
-- 
2.30.2

_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to