#!/bin/bash ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" if ! echo "$grep_result" | grep -q "#" ; then ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 if [ "$PAM_SERVICE" = "sshd" ]; then if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "ssh"; then ssh_allowed=true fi if [ ! "$ssh_allowed" = "true" ]; then echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'ssh'" >&2 echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 echo "addgroup $PAM_USER ssh" >&2 echo "" >&2 echo "$0: However, possibly unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 echo "$0: See also:" >&2 echo "https://www.whonix.org/wiki/root#ssh" >&2 echo "" >&2 exit 0 fi fi if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then console_allowed=true fi if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then console_allowed=true fi if [ ! "$console_allowed" = "true" ]; then echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 echo "addgroup $PAM_USER console" >&2 echo "" >&2 echo "$0: However, possibly unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 echo "$0: See also:" >&2 echo "https://www.whonix.org/wiki/root#console" >&2 echo "" >&2 exit 0 fi fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 if [ ! "$(id -u)" = "0" ]; then ## as user "user" ## /sbin/pam_tally2 -u user ## pam_tally2: Error opening /var/log/tallylog for update: Permission denied ## /sbin/pam_tally2: Authentication error ## ## xscreensaver runs as user "user", therefore pam_tally2 cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html true "$0: not started as root, exiting." exit 0 fi ## Does not work (yet) for login, pam_securetty runs before and aborts. ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then # if [ -f /etc/securetty ]; then # grep_result="$(grep "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then # echo "$0: ERROR: Root login is disabled." >&2 # echo "$0: ERROR: This is because /etc/securetty is empty." >&2 # echo "$0: See also:" >&2 # echo "https://www.whonix.org/wiki/root#login" >&2 # echo "" >&2 # exit 0 # fi # fi # fi pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" if [ "$pam_tally2_output" = "" ]; then true "$0: no failed login" exit 0 fi ## Example: #Login Failures Latest failure From #user 0 pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" ## Example: #user 0 arr=($pam_tally2_output_last_line) user_name="${arr[0]}" failed_login_counter="${arr[1]}" if [ ! "$PAM_USER" = "$user_name" ]; then echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 echo "$0: ERROR: Please report this bug." >&2 echo "" >&2 exit 0 fi if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 fi deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" ## Example: #auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug for word in $deny_line ; do if echo "$word" | grep -q "deny=" ; then deny="$(echo "$word" | cut -d "=" -f 2)" break fi done if [[ "$deny" == *[!0-9]* ]]; then echo "$0: ERROR: deny is not numeric." >&2 echo "$0: ERROR: Please report this bug." >&2 echo "" >&2 exit 0 fi remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2 echo "$0: To unlock, run the following command as superuser:" >&2 echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 echo "" >&2 echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 echo "" >&2 echo "$0: However, most likely unlock procedure is required." >&2 echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 echo "$0: See also:" >&2 echo "https://www.whonix.org/wiki/root#unlock" >&2 echo "" >&2 exit 0 fi echo "$0: WARNING: $failed_login_counter failed login attempts." >&2 echo "$0: Login will be blocked after $deny attempts." >&2 echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 echo "" >&2 if [ "$PAM_SERVICE" = "su" ]; then echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 echo "" >&2 fi exit 0