kiran-authentication-service/0002-fix-pam-conf-Adjust-the-number-of-non-password-authe.patch

From e9d570e068bbb5ae1fd91a86b186cecf488ac771 Mon Sep 17 00:00:00 2001
From: liuxinhao <liuxinhao@kylinsec.com.cn>
Date: Tue, 30 May 2023 09:25:03 +0800
Subject: [PATCH 2/5] fix(pam conf): Adjust the number of non-password
 authentication failures recorded in the PAM configuration file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 调整PAM配置文件，多路认证非密码认证失败记录错误次数

Closes #I7937W
---
 data/kiran-authentication-service | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
index e5d0f98..afc7e17 100644
--- a/data/kiran-authentication-service
+++ b/data/kiran-authentication-service
@@ -1,11 +1,16 @@
-# 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
-auth  [success=done ignore=ignore default=die] pam_kiran_authentication.so doauth
+# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
+# 若不修改，用户已锁定也能开始认证，无论认证是否成功都会失败，并且无提示。
 
+# =========================认证配置项目================================ #
+# 多路认证模式，成/功则认证通过，失败/切换到密码 跳过多因子认证模式
+auth  [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
 # 多因子认证模式, 成功继续执行PAM流程栈,失败或默认值都为失败
-#auth  requisite               pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
 #auth  [success=2 default=bad] pam_kiran_authentication.so doauth
-#auth  [default=die]           pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
-#auth  required                pam_debug
+# ==================================================================== #
+
+# 认证服务后续认证流程兼容，走系统错误计数failock, pam_debug只是修改认证状态值为成功
+auth  [default=die]           pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
+auth  required                pam_debug
 
 # 认证成功，清理内部记录错误次数
 account required pam_kiran_authentication.so authsucc
\ No newline at end of file
-- 
2.33.0