Hi, I added options to pam_fprint: max_tries (default is 5)
$ cat /etc/pam.d/system-auth ... auth sufficient pam_fprint.so max_tries=7 .. and changed behaviour of "FP_VERIFY_NO_MATCH" in "static int do_identify" - if user not matched and have attempts than he can try again. this is my first patch of pam module so I copy, as much as possible, from pam_cracklib.c ;-) regards, peter http://www.fi.muni.cz/~xstancek/fprint/pam_fprint.diff or: diff --git a/src/pam_fprint.c b/src/pam_fprint.c index 24fc104..2ee39e4 100644 --- a/src/pam_fprint.c +++ b/src/pam_fprint.c @@ -28,6 +28,25 @@ #define PAM_SM_AUTH #include <security/pam_modules.h> +#define MAX_TRIES 5 +struct pam_fprint_options { + int max_tries; +}; + +static int parse_options(struct pam_fprint_options *opt, int argc, const char **argv) { + int ctrl = 0; + for (ctrl=0; argc-- > 0; ++argv) { + char *ep = NULL; + if (!strncmp(*argv,"max_tries=",10)) { + opt->max_tries = strtol(*argv+10, &ep, 10); + if (!ep || (opt->max_tries < 1)) { + opt->max_tries = MAX_TRIES; + } + } + } + return ctrl; +} + static int send_info_msg(pam_handle_t *pamh, char *msg) { const struct pam_message mymsg = { @@ -149,10 +168,12 @@ static struct fp_print_data **find_dev_and_prints(struct fp_dscv_dev **ddevs, return gallery; } -static int do_identify(pam_handle_t *pamh, struct fp_dev *dev, +static int do_identify(struct pam_fprint_options *options, pam_handle_t *pamh, struct fp_dev *dev, struct fp_print_data **gallery, enum fp_finger *fingers) { - int max_tries = 5; + + int max_tries = options->max_tries; + int no_match = 0; size_t offset; const char *driver_name = fp_driver_get_full_name(fp_dev_get_driver(dev)); const char *fstr = fingerstr(fingers[0]); @@ -163,7 +184,7 @@ static int do_identify(pam_handle_t *pamh, struct fp_dev *dev, if (fp_dev_supports_identification(dev)) { - snprintf(msg, sizeof(msg), "Scan finger on %s", driver_name); + snprintf(msg, sizeof(msg), "Scan finger on %s. Attemp %d/%d.", driver_name, options->max_tries - max_tries + 1, options->max_tries); msg[sizeof(msg) - 1] = 0; send_info_msg(pamh, msg); r = fp_identify_finger(dev, gallery, &offset); @@ -183,7 +204,8 @@ static int do_identify(pam_handle_t *pamh, struct fp_dev *dev, } switch (r) { case FP_VERIFY_NO_MATCH: - return PAM_AUTH_ERR; + no_match = 1; + break; case FP_VERIFY_MATCH: return PAM_SUCCESS; case FP_VERIFY_RETRY: @@ -201,13 +223,17 @@ static int do_identify(pam_handle_t *pamh, struct fp_dev *dev, "again."); break; } - } while (max_tries--); + } while (--max_tries); + + if (no_match) { + return PAM_AUTH_ERR; + } send_err_msg(pamh, "Too many failed scans, giving up."); return PAM_AUTHINFO_UNAVAIL; } -static int do_auth(pam_handle_t *pamh) +static int do_auth(struct pam_fprint_options *options, pam_handle_t *pamh) { int r; struct fp_dscv_dev **ddevs; @@ -255,7 +281,7 @@ static int do_auth(pam_handle_t *pamh) return PAM_AUTHINFO_UNAVAIL; } - r = do_identify(pamh, dev, gallery, fingers); + r = do_identify(options, pamh, dev, gallery, fingers); gallery_iter = gallery; while (*gallery_iter) @@ -279,6 +305,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, char *homedir; struct passwd *passwd; int r; + + /* arguments */ + struct pam_fprint_options options; + options.max_tries = MAX_TRIES; + parse_options(&options, argc, argv); pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost); if (rhost != NULL && strlen(rhost) > 0) { @@ -303,7 +334,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, return PAM_AUTHINFO_UNAVAIL; } - r = do_auth(pamh); + r = do_auth(&options, pamh); free(homedir); return r; } _______________________________________________ fprint mailing list [email protected] http://lists.reactivated.net/mailman/listinfo/fprint
