openssh: add support for pam_faillock

this is done so that we can use PAM modules for locking out users
after x number of failed attempts for y seconds (by configuring
UsePAM, MaxAuthTries and UnlockTime in sshd UCI respectively)

net/openssh/files/sshd.init

@@ -25,13 +25,16 @@ validate_section_sshd()
 		'IdleTimeout:uinteger:0' \
 		'Interface:string' \
 		'KexAlgorithms:list(string)' \
+		'LockOutAttempts:uinteger:6' \
 		'MacAlgorithms:list(string)' \
 		'MaxAuthTries:uinteger:6' \
 		'mdns:bool:1' \
 		'PasswordAuth:bool:1' \
 		'Port:port:22' \
 		'RootLogin:bool:1' \
-		'RootPasswordAuth:bool:1'
+		'RootPasswordAuth:bool:1' \
+		'UnlockTime:uinteger:300' \
+		'UsePAM:bool:0'
 }
 
 append_config()
@@ -263,6 +266,42 @@ set_password_auth()
 	fi
 }
 
+set_use_pam()
+{
+	local UsePAM="${1}"
+
+	if [ "${UsePAM}" -eq 0 ]; then
+		append_config "UsePAM" "no"
+	else
+		append_config "UsePAM" "yes"
+	fi
+}
+
+update_pam_faillock()
+{
+	local deny="${1:-6}"
+	local unlock_time="${2:-300}"
+	local file="/etc/pam.d/common-auth"
+	local lockout_config="deny=$deny even_deny_root unlock_time=$unlock_time"
+
+	# Check if the file exists
+	if [ ! -f "$file" ]; then
+		return 0
+	fi
+
+	# Check if the existing values match
+	if grep -Eq "pam_faillock.so preauth $lockout_config\$" "$file" &&
+		grep -Eq "pam_faillock.so authfail audit $lockout_config\$" "$file"; then
+		return 0
+	fi
+
+	# Update the file only if changes are needed
+	sed -i -E \
+		-e "s|(pam_faillock.so preauth).*|\1 $lockout_config|" \
+		-e "s|(pam_faillock.so authfail).*|\1 audit $lockout_config|" \
+		"$file"
+}
+
 set_params()
 {
 	local ConfigFile="${1}"
@@ -284,9 +323,12 @@ set_params()
 	set_max_auth_tries "${MaxAuthTries}"
 	set_password_auth "${PasswordAuth}"
 	set_root_login "${RootLogin}" "${RootPasswordAuth}"
+	set_use_pam "${UsePAM}"
 
 	append_config "Subsystem" "sftp /usr/lib/sftp-server"
 
+	update_pam_faillock "${LockOutAttempts}" "${UnlockTime}"
+
 	# finalize
 	mkdir -p "$(dirname "${ConfigFile}")"
 	mv "${TEMPCONF}" "${ConfigFile}"