kiran-authentication-service/0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch

From e9d570e068bbb5ae1fd91a86b186cecf488ac771 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 09:25:03 +0800
Subject: [PATCH 2/5] fix(pam conf): Adjust the number of non-password
 authentication failures recorded in the PAM configuration file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 调整PAM配置文件，多路认证非密码认证失败记录错误次数

Closes #I7937W
---
 data/kiran-authentication-service | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index e5d0f98..afc7e17 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -1,11 +1,16 @@
-# 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
-auth  [success=done ignore=ignore default=die] pam_kiran_authentication.so doauth
+# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
+# 若不修改，用户已锁定也能开始认证，无论认证是否成功都会失败，并且无提示。
 
+# =========================认证配置项目================================ #
+# 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
+auth  [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
 # 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
-#auth  requisite               pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
 #auth  [success=2 default=bad] pam_kiran_authentication.so doauth
-#auth  [default=die]           pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
-#auth  required                pam_debug
+# ==================================================================== #
+
+# 认证服务后续认证流程兼容，走系统错误计数failock, pam_debug只是修改认证状态值为成功
+auth  [default=die]           pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
+auth  required                pam_debug
 
 # 认证成功，清理内部记录错误次数
 account required pam_kiran_authentication.so authsucc
\ No newline at end of file
-- 
2.33.0
-												fix(*): Fixed an issue with the first round of test in Part 2.5

- 修复部分第一轮测试出现的问题

											
										
										
											2023-05-31 16:27:58 +08:00
+								From e9d570e068bbb5ae1fd91a86b186cecf488ac771 Mon Sep 17 00:00:00 2001
 								From: liuxinhao <liuxinhao@kylinsec.com.cn>
 								Date: Tue, 30 May 2023 09:25:03 +0800
 								Subject: [PATCH 2/5] fix(pam conf): Adjust the number of non-password
 								 authentication failures recorded in the PAM configuration file
 								MIME-Version: 1.0
 								Content-Type: text/plain; charset=UTF-8
 								Content-Transfer-Encoding: 8bit
 								- 调整PAM配置文件，多路认证非密码认证失败记录错误次数
 								Closes #I7937W
 								---
 								 data/kiran-authentication-service | 15 ++++++++++-----
 file changed, 10 insertions(+), 5 deletions(-)
 								diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
 								index e5d0f98..afc7e17 100644
 								--- a/data/kiran-authentication-service
 								+++ b/data/kiran-authentication-service
@@ -1,11 +1,16 @@
 								-# 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
 								-auth  [success=done ignore=ignore default=die] pam_kiran_authentication.so doauth
 								+# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
 								+# 若不修改，用户已锁定也能开始认证，无论认证是否成功都会失败，并且无提示。
 								+# =========================认证配置项目================================ #
 								+# 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
 								+auth  [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
 								 # 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
 								-#auth  requisite               pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
 								 #auth  [success=2 default=bad] pam_kiran_authentication.so doauth
 								-#auth  [default=die]           pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
 								-#auth  required                pam_debug
 								+# ==================================================================== #
 								+
 								+# 认证服务后续认证流程兼容，走系统错误计数failock, pam_debug只是修改认证状态值为成功
 								+auth  [default=die]           pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
 								+auth  required                pam_debug
 								 # 认证成功，清理内部记录错误次数
 								 account required pam_kiran_authentication.so authsucc
 								\ No newline at end of file
 								--
 .33.0