Bug 1583146

Summary: SSH public key authentication resets failllock counter of a locked user on RHEL-7
Product: Red Hat Enterprise Linux 7 Reporter: Vinay Mishra <vmishra>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: cparadka, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-28 11:26:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vinay Mishra 2018-05-28 10:08:37 UTC 
Summary: SSH public key authentication resets failllock counter of a locked user on RHEL-7

Description of problem:
SSH public key authentication resets failllock counter of a locked user on RHEL-7

Version-Release number of selected component (if applicable):
 
Red Hat Enterprise Linux 7.4
pam-1.1.8-18.el7.x86_64

How reproducible:
Always

Steps to Reproduce:

1) Setup a system with "pam_faillock" module to lockout user after invalid logins.

Server1
-----------------
# cat /etc/pam.d/password-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=1000000
auth        required      pam_faillock.so preauth silent deny=3 fail_interval=900 unlock_time=600
auth        sufficient    pam_unix.so nullok try_first_pass
#auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=600
auth [success=1 default=ignore] pam_localuser.so
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so no_pass_expiry
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    required    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password   sufficient    pam_sss.so use_authtok
password    sufficient   pam_rootok.so
password    required    pam_echo.so file=/opt/cntdb/data/onends_password_change_deny_msg
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_umask.so umask=0027
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0027
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     [success=1 default=ignore] pam_localuser.so
session     optional      pam_sss.so
---------------

2) Now ssh from another system with invalid attempts, user gets locked:

System1
------------------
$ ssh testuser@Server1
Password:
Password:
Password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

Server1
-----------------
# faillock --user testuser
testuser:
When                Type  Source                                           Valid
2018-05-16 17:36:22 RHOST 10.76.1.137                                          V
2018-05-16 17:36:24 RHOST 10.76.1.137                                          V
2018-05-16 17:36:28 RHOST 10.76.1.137                                          V

3) Now authenticate same user using public key from another host, the faillock counter is cleared and user lockout is removed.

System2
------------------
# ssh testuser@Server1
Last failed login: Wed May 16 17:36:29 IST 2018 from 10.76.1.137 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Wed May 16 17:35:04 2018 from 10.74.133.178
Type:QuickVM:BaseOS
$

Server1
-----------------
# faillock --user testuser
testuser:
When                Type  Source                                           Valid

Actual results:
Faillock counts are cleared with ssh public key authentication.
 
Expected results:
Faillock counts should not be cleared with ssh public key authentication.

Additional info:
Why does faillock counter is reset? This is not noticed with pam_tally2 on RHEL-6.
Comment 2 Tomas Mraz 2018-05-28 11:26:38 UTC 
This works as designed. The faillock counter is reset in the account stack by the:

account     required      pam_faillock.so

There is another example in the pam_faillock manual page which does not put the pam_faillock into the account stack. If PAM is configured according to this example, it will work fine (in the sense that the faillock entries will not be reset) in regards to the SSH public key authentication.