On Sat, 28 Aug 2010, A. Kirillov wrote: >> And that's about the only hint on how and where to enable pam_shield. >> I've tried to add this line to /etc/pam.d/sshd too. >> Fortunately it didn't crash anything but it didn't work either. > > Here's the story for those interested. With the default of > > allow_missing_dns no > allow_missing_reverse no > > pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries, > which is a surprise. Should I say a big one? The reason it didn't work > for me was that bind wasn't adding reverse maps for my local hosts > because of screwed up zone file permissions. > > On a side note, when testing pam_shield with a recommended > retention period of 60 secs you have to run /etc/cron.daily/pam-shield > manually to release expired locks. Welcome to the wonderful world of Open Source ! If you want to make a difference here, please talk to the upstream developers, rather than to this list. Now, since I use pam_shield myself I have reported both problems (segfault of su and login when configuring in /etc/pam.d/system-auth, and the above). I haven't tested both, so any feedback or testcase to replicate the problem are welcomed by the upstream developers (does not include me). We also discussed some other improvements: - using AUTHPRIV intead of AUTH for logging - including shield-trigger-iptables - Fixes to Makefile - Including manual pages - Fixes to INSTALL - Both registered bugs Kind regards, -- -- dag wieers, dag at wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]