|Summary:||[RFE] pam_faillock: Allow argument of 'unlock_time' option to have a meaning of lock the account forever / till manual intervention from system administrator|
|Product:||Red Hat Enterprise Linux 7||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||pam||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED DUPLICATE||QA Contact:||BaseOS QE Security Team <qe-baseos-security>|
|Version:||7.2||CC:||pkis, redigd, swells|
|Fixed In Version:||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-12-14 09:52:14 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Jan Lieskovsky 2014-09-30 14:53:15 UTC
Description of problem: This issue has been raised within: https://github.com/OpenSCAP/scap-security-guide/issues/135#issuecomment-57103951 when trying to implement RHEL7 STIG: CCI-002238 rule. pam_faillock PAM module has option 'unlock_time' to specify how long time (in seconds) the account in question should be locked, till it's unlocked again. The maximum / upper border of allowed time specification is one week -- rpmbuild/BUILD/Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c: 70 #define MAX_TIME_INTERVAL 604800 /* 7 days */ Since RHEL7 STIG: CCI-002238 requires the account to be locked till manually unlocked by system administrator, it's not possible (right now) to implement this rule via pam_faillock module. Therefore it would be nice if some special value (e.g. zero / 0) would be also accepted to instruct pam_faillock that the account in question shouldn't be unlocked till not performed manually by administrator. Version-Release number of selected component (if applicable): pam-1.1.8-9.el7 How reproducible: Always Steps to Reproduce: 1. Use pam_faillock and try to configure it to require account not to be unlocked till explicitly manually done by system administrator Actual results: Maximum allowed value is '604800', e.g. one week. Expected results: Maximum allowed value should be "forever" (till not unlocked by sysadmin). Additional info: Maybe the value of zero(0) could be used for this case for the case of user account of unprivileged user. This option / value should be forbidden for privileged / root account case.
Comment 3 redigd 2015-12-11 19:42:22 UTC
I need to second this request. It is a total show stopper for my company. We have tried to drop back to pam_tally2 but are having issues with systemd/polkit/X/gdm integration issues.