diff --git a/Cargo.toml b/Cargo.toml index 338fef7..8ffff22 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,8 +3,8 @@ members = ["xtask"] [package] name = "pam-authramp" -version = "0.1.0" -description = "A PAM module for implementing ramping up delay on authentication failures." +version = "0.3.0" +description = "The AuthRamp PAM module provides an account lockout mechanism based on the number of authentication failures." authors = ["34n0 <34n0@immerda.ch>"] license = "GPL-3.0" publish = false @@ -27,3 +27,18 @@ tempfile = "3.8.1" users = "0.11.0" log = "0.4" toml = "0.8.8" + +[package.metadata.generate-rpm] +assets = [ + { source = "target/release/libpam_authramp.so", dest = "/usr/lib64/security/libpam_authramp.so", mode = "755" }, + { source = "example/system-auth/authramp.conf", dest = "/etc/security/authramp.conf", mode = "644" }, +] + +[package.metadata.deb] +depends = "$auto" +section = "utility" +priority = "optional" +assets = [ + ["target/release/libpam_authramp.so", "usr/lib64/security/", "755"], + ["example/system-auth/authramp.conf", "/etc/security/authramp.conf", "644"], +] \ No newline at end of file diff --git a/README.md b/README.md index d2bf35b..9a60391 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,22 @@ The AuthRamp PAM (Pluggable Authentication Modules) module provides an account l 4. [Contributing](#contributing) ## Installation -1. Copy the `libpam_authramp.so` library to the default PAM library directory. The directory varies for different distributions. For example, in current Fedora versions, the path is `/lib64/security`. -2. Add the module library calls to the PAM service stack in `/etc/pam.d`. +### RPM +If you're a RPM distribution user, then then pam-authramp can be installed using a binary .rpm file provided in each [release](https://github.com/34N0/pam-authramp/releases). +```bash +curl -LO https://github.com/34N0/pam-authramp/releases/download/v0.3.0-alpha/pam-authramp-0.3.0-1.x86_64.rpm +sudo rpm -i pam-authramp-0.3.0-1.x86_64.rpm +``` +### Debian +If you're a Debian user (or a user of a Debian derivative like Ubuntu), then pam-authramp can be installed using a binary .deb file provided in each [release](https://github.com/34N0/pam-authramp/releases). +```bash +curl -LO https://github.com/34N0/pam-authramp/releases/download/v0.3.0-alpha/pam-authramp_0.3.0-1_amd64.deb +sudo dpkg -i pam-authramp_0.3.0-1_amd64.deb +``` +### Manually +1. Download the latest [release](https://github.com/34N0/pam-authramp/releases). +2. Copy the `libpam_authramp.so` library to the default PAM library directory. The directory varies for different distributions. For example, in current Fedora versions, the path is `/lib64/security`. +3. Add the module library calls to the PAM service stack in `/etc/pam.d`. Add the preauth hook before the authentication module: ```conf diff --git a/example/system-auth/authramp.conf b/example/system-auth/authramp.conf index 85a0fee..d4b6815 100644 --- a/example/system-auth/authramp.conf +++ b/example/system-auth/authramp.conf @@ -4,17 +4,22 @@ [Settings] # Directory where tally information is stored. # Each user has a separate file in this directory to track authentication failures. -tally_dir = /var/run/authramp +# tally_dir = /var/run/authramp # # Number of allowed free authentication attempts before applying delays. # During these free tries, the module allows authentication without introducing delays. -free_tries = 6 +# free_tries = 6 # # Base delay applied to each authentication failure. # This is the initial delay applied after the free tries are exhausted. -base_delay_seconds = 30 +# base_delay_seconds = 30 # # Multiplier for the delay calculation based on the number of failures. # The delay for each subsequent failure is calculated as follows: # delay = ramp_multiplier * (fails - free_tries) * ln(fails - free_tries) + base_delay_seconds -ramp_multiplier = 50 \ No newline at end of file +# ramp_multiplier = 50 +# +# Even lock out the root user. Enabling this can be dangerous and may result in a total system lockout. +# For auditing purposes, the tally will still be created for the root user, even if this setting is disabled. +# If you plan to enable this feature, make sure there isn't any tally stored under /root, or you risk immediate lockout. +# even_deny_root = false \ No newline at end of file