2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A#include <string.h>
2N/A#include <syslog.h>
2N/A#include "passwdutil.h"
2N/A
2N/Aint
2N/A__incr_failed_count(char *username, char *repname, int max_failures)
2N/A{
2N/A int ret;
2N/A void *buf;
2N/A attrlist items[1];
2N/A int repnum = name_to_int(repname);
2N/A repops_t *ops;
2N/A
2N/A /* account locking only defined for files and ldap */
2N/A if ((repnum != REP_FILES) &&
2N/A (repnum != REP_LDAP)) {
2N/A return (PWU_SUCCESS);
2N/A }
2N/A
2N/A ops = rops[repnum];
2N/A if ((ops->lock != NULL) &&
2N/A (ret = ops->lock()) != PWU_SUCCESS) {
2N/A return (ret);
2N/A }
2N/A
2N/A items[0].type = ATTR_INCR_FAILED_LOGINS;
2N/A items[0].next = NULL;
2N/A if ((ret = ops->getpwnam(username, items, NULL, &buf)) != PWU_SUCCESS) {
2N/A goto out;
2N/A }
2N/A
2N/A /* We increment the failed count by one */
2N/A if ((ret = ops->update(items, NULL, buf)) != PWU_SUCCESS) {
2N/A goto out;
2N/A }
2N/A
2N/A /* Did we just exceed "max_failures" ? */
2N/A if (max_failures != 0 &&
2N/A items[0].data.val_i >= max_failures) {
2N/A
2N/A items[0].type = ATTR_LOCK_FAILED_LOGINS;
2N/A
2N/A /*
2N/A * possible successful returns from update
2N/A * ATTR_LOCK_FAILED_LOGINS are
2N/A * PWU_SUCCESS -- locked
2N/A * PWU_NO_CHANGE -- already locked
2N/A * PWU_CHANGE_NOT_ALLOWED -- not allowed for this account
2N/A */
2N/A
2N/A if ((ret = ops->update(items, NULL, buf)) != PWU_NO_CHANGE &&
2N/A ret != PWU_CHANGE_NOT_ALLOWED) {
2N/A syslog(LOG_AUTH|LOG_NOTICE,
2N/A "Excessive (%d) login failures for %s: "
2N/A "locking account.", max_failures, username);
2N/A } else if (ret != PWU_NO_CHANGE &&
2N/A ret != PWU_SUCCESS) {
2N/A goto out;
2N/A }
2N/A }
2N/A if (((ret = ops->putpwnam(username, NULL, NULL, buf)) ==
2N/A PWU_SUCCESS) &&
2N/A (items[0].type == ATTR_LOCK_FAILED_LOGINS))
2N/A ret = PWU_ACCOUNT_LOCKED;
2N/A
2N/Aout:
2N/A if (ops->unlock != NULL) {
2N/A ops->unlock();
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * reset the failed count.
2N/A * returns the number of failed logins before the reset, or an error (< 0)
2N/A */
2N/Aint
2N/A__rst_failed_count(char *username, char *repname)
2N/A{
2N/A int ret;
2N/A void *buf;
2N/A attrlist items[1];
2N/A int repnum = name_to_int(repname);
2N/A repops_t *ops;
2N/A
2N/A /* account locking only defined for files and ldap */
2N/A if ((repnum != REP_FILES) &&
2N/A (repnum != REP_LDAP)) {
2N/A return (PWU_SUCCESS);
2N/A }
2N/A
2N/A ops = rops[repnum];
2N/A if ((ops->lock != NULL) &&
2N/A (ret = ops->lock()) != PWU_SUCCESS) {
2N/A return (ret);
2N/A }
2N/A
2N/A items[0].type = ATTR_RST_FAILED_LOGINS;
2N/A items[0].next = NULL;
2N/A if ((ret = ops->getpwnam(username, items, NULL, &buf)) != PWU_SUCCESS)
2N/A goto out;
2N/A if ((ret = ops->update(items, NULL, buf)) != PWU_SUCCESS)
2N/A goto out;
2N/A ret = ops->putpwnam(username, NULL, NULL, buf);
2N/Aout:
2N/A if (ops->unlock != NULL) {
2N/A ops->unlock();
2N/A }
2N/A
2N/A return (ret != PWU_SUCCESS ? ret : items[0].data.val_i);
2N/A}