Bug 1886659
| Summary: | ssh public key authentication bypass faillock (RHEL 8.2) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kappa <commodorekappa+redhat> |
| Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | CLOSED WONTFIX | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | dapospis, pbrezina, tmraz |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-15 10:33:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Kappa
2020-10-09 04:57:55 UTC
With your configuration above the reset should not really happen on public key authentication. Are you really sure that the configuration was properly applied? I.E. I would recommend restarting sshd before testing it (although that strictly speaking it should not be needed as the configuration is freshly loaded for new authentication sessions). I had test with restarting the OpenSSH service and the result is the same. Here's some log: Oct 9 17:41:47 ipa4 root[79753]: # Generated by authselect on Fri Oct 9 12:13:40 2020 Oct 9 17:41:47 ipa4 root[79753]: # Do not modify this file manually. Oct 9 17:41:47 ipa4 root[79753]: Oct 9 17:41:47 ipa4 root[79753]: auth required pam_env.so Oct 9 17:41:47 ipa4 root[79753]: #auth required pam_faildelay.so delay=2000000 Oct 9 17:41:47 ipa4 root[79753]: #auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 Oct 9 17:41:47 ipa4 root[79753]: auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet Oct 9 17:41:47 ipa4 root[79753]: auth [default=1 ignore=ignore success=ok] pam_localuser.so Oct 9 17:41:47 ipa4 root[79753]: #auth sufficient pam_unix.so try_first_pass Oct 9 17:41:47 ipa4 root[79753]: auth [success=1 default=bad] pam_unix.so try_first_pass Oct 9 17:41:47 ipa4 root[79753]: auth [default=die] pam_faillock.so authfail Oct 9 17:41:47 ipa4 root[79753]: auth sufficient pam_faillock.so authsucc Oct 9 17:41:47 ipa4 root[79753]: auth requisite pam_succeed_if.so uid >= 1000 quiet_success Oct 9 17:41:47 ipa4 root[79753]: auth sufficient pam_sss.so forward_pass Oct 9 17:41:47 ipa4 root[79753]: #auth required pam_faillock.so authfail deny=4 unlock_time=1200 Oct 9 17:41:47 ipa4 root[79753]: auth required pam_deny.so Oct 9 17:41:47 ipa4 root[79753]: Oct 9 17:41:47 ipa4 root[79753]: #account required pam_faillock.so Oct 9 17:41:47 ipa4 root[79753]: account required pam_unix.so Oct 9 17:41:47 ipa4 root[79753]: account sufficient pam_localuser.so Oct 9 17:41:47 ipa4 root[79753]: account sufficient pam_succeed_if.so uid < 1000 quiet Oct 9 17:41:47 ipa4 root[79753]: account [default=bad success=ok user_unknown=ignore] pam_sss.so Oct 9 17:41:47 ipa4 root[79753]: account required pam_permit.so Oct 9 17:41:47 ipa4 root[79753]: Oct 9 17:41:47 ipa4 root[79753]: password requisite pam_pwquality.so try_first_pass local_users_only Oct 9 17:41:47 ipa4 root[79753]: password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok Oct 9 17:41:47 ipa4 root[79753]: password sufficient pam_sss.so use_authtok Oct 9 17:41:47 ipa4 root[79753]: password required pam_deny.so Oct 9 17:41:47 ipa4 root[79753]: Oct 9 17:41:47 ipa4 root[79753]: session optional pam_keyinit.so revoke Oct 9 17:41:47 ipa4 root[79753]: session required pam_limits.so Oct 9 17:41:47 ipa4 root[79753]: -session optional pam_systemd.so Oct 9 17:41:47 ipa4 root[79753]: session optional pam_oddjob_mkhomedir.so umask=0077 Oct 9 17:41:47 ipa4 root[79753]: session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid Oct 9 17:41:47 ipa4 root[79753]: session required pam_unix.so Oct 9 17:41:47 ipa4 root[79753]: session optional pam_sss.so Oct 9 17:42:02 ipa4 systemd[1]: Stopping OpenSSH server daemon... Oct 9 17:42:02 ipa4 systemd[1]: Starting system activity accounting tool... Oct 9 17:42:02 ipa4 systemd[1]: Stopped OpenSSH server daemon. Oct 9 17:42:02 ipa4 systemd[1]: Stopped target sshd-keygen.target. Oct 9 17:42:02 ipa4 systemd[1]: Stopping sshd-keygen.target. Oct 9 17:42:02 ipa4 systemd[1]: Reached target sshd-keygen.target. Oct 9 17:42:02 ipa4 systemd[1]: Starting OpenSSH server daemon... Oct 9 17:42:02 ipa4 systemd[1]: Started OpenSSH server daemon. Oct 9 17:42:02 ipa4 systemd[1]: Started system activity accounting tool. Oct 9 17:43:01 ipa4 systemd[1]: Starting system activity accounting tool... Oct 9 17:43:01 ipa4 systemd[1]: Started system activity accounting tool. Oct 9 17:43:25 ipa4 root[79802]: root: Oct 9 17:43:25 ipa4 root[79802]: When Type Source Valid Oct 9 17:43:25 ipa4 root[79802]: testaccount: Oct 9 17:43:25 ipa4 root[79802]: When Type Source Valid Oct 9 17:43:25 ipa4 root[79802]: 2020-10-09 17:41:08 RHOST 10.0.0.1 V Oct 9 17:43:25 ipa4 root[79802]: 2020-10-09 17:42:21 RHOST 10.0.0.1 V Oct 9 17:43:25 ipa4 root[79802]: 2020-10-09 17:42:25 RHOST 10.0.0.1 V Oct 9 17:42:02 ipa4 sshd[1083]: Received signal 15; terminating. Oct 9 17:42:02 ipa4 sshd[79762]: Server listening on 0.0.0.0 port 22. Oct 9 17:42:02 ipa4 sshd[79762]: Server listening on :: port 22. Oct 9 17:42:17 ipa4 sshd[79740]: Connection closed by authenticating user testaccount 10.0.0.1 port 44304 [preauth] Oct 9 17:42:21 ipa4 unix_chkpwd[79768]: password check failed for user (testaccount) Oct 9 17:42:21 ipa4 sshd[79767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=testaccount Oct 9 17:42:23 ipa4 sshd[79765]: error: PAM: Authentication failure for testaccount from 10.0.0.1 Oct 9 17:42:24 ipa4 sshd[79765]: Connection closed by authenticating user testaccount 10.0.0.1 port 44942 [preauth] Oct 9 17:42:25 ipa4 unix_chkpwd[79773]: password check failed for user (testaccount) Oct 9 17:42:25 ipa4 sshd[79772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=testaccount Oct 9 17:42:25 ipa4 sshd[79772]: pam_faillock(sshd:auth): Consecutive login failures for user testaccount account temporarily locked Oct 9 17:42:27 ipa4 sshd[79770]: error: PAM: Authentication failure for testaccount from 10.0.0.1 Oct 9 17:42:29 ipa4 sshd[79770]: Connection closed by authenticating user testaccount 10.0.0.1 port 44978 [preauth] Oct 9 17:42:33 ipa4 unix_chkpwd[79779]: password check failed for user (testaccount) Oct 9 17:42:33 ipa4 sshd[79778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=testaccount Oct 9 17:42:35 ipa4 sshd[79776]: error: PAM: Authentication failure for testaccount from 10.0.0.1 Oct 9 17:42:35 ipa4 sshd[79776]: Connection closed by authenticating user testaccount 10.0.0.1 port 45020 [preauth] Oct 9 17:42:59 ipa4 unix_chkpwd[79784]: password check failed for user (testaccount) Oct 9 17:42:59 ipa4 sshd[79783]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=testaccount Oct 9 17:43:00 ipa4 sshd[79781]: error: PAM: Authentication failure for testaccount from 10.0.0.1 Oct 9 17:43:01 ipa4 sshd[79781]: Connection closed by authenticating user testaccount 10.0.0.1 port 45252 [preauth] Oct 9 17:43:02 ipa4 unix_chkpwd[79791]: password check failed for user (testaccount) Oct 9 17:43:02 ipa4 sshd[79790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=testaccount Oct 9 17:43:04 ipa4 sshd[79788]: error: PAM: Authentication failure for testaccount from 10.0.0.1 Oct 9 17:43:04 ipa4 sshd[79788]: Connection closed by authenticating user testaccount 10.0.0.1 port 45278 [preauth] Oct 9 17:43:09 ipa4 unix_chkpwd[79797]: password check failed for user (testaccount) Oct 9 17:43:09 ipa4 sshd[79796]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1 user=testaccount Oct 9 17:43:11 ipa4 sshd[79794]: error: PAM: Authentication failure for testaccount from 10.0.0.1 Oct 9 17:43:35 ipa4 sshd[79806]: Accepted publickey for testaccount from 10.0.0.1 port 45576 ssh2: ED25519 SHA256:12345........... Oct 9 17:43:35 ipa4 systemd[79812]: pam_unix(systemd-user:session): session opened for user testaccount by (uid=0) Oct 9 17:43:35 ipa4 sshd[79806]: pam_unix(sshd:session): session opened for user testaccount by (uid=0) For comment #1 and #2: 17:41 update pam config (/etc/pam.d/password-auth) I had pipe the config to Syslog During this period, attempt to login with wrong password in order to lock the account 17:42:25 the testaccount is locked I did not manually reset the fail lock 17:43:35 login by ssh public key The log does not show anything wrong. The login by ssh public key is not blocked by faillock. That is by design. After I checked #1583146, I thought pam_faillock could lock down an account even public key authentication is configured. So, is there other modules or methods for this specific use case? I had searched the web and found below URL. But this is too technical for me. https://support.hpe.com/hpesc/public/docDisplay?docId=mmr_kc-0114979 Even if the account has been locked due to wrong password, this doesn't deny a user authentication when using ssh pubkeys. Moreover, this doesn't make any sense since the faillock method is there to prevent brute force attacks against a potentially weak user's password and pubkeys are not susceptible to this type of attacks. If you want to lock an account for ssh pubkey authentication you can use: chage -E0 testuser OK, I do not have more questions regarding this problem. Thanks. Then, I'm closing it as won't fix. |