Bug 328281

Summary: Pam_tally audit option is defective
Product: Red Hat Enterprise Linux 5 Reporter: Isaac W. <ibwilsonvt92>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0336 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 17:27:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Isaac W. 2007-10-11 19:58:38 UTC 
Description of problem:

Using the "audit" option in pam_tally eliminates the ability to lock out non-
root users after a set number of failed logins while simultaneously allowing 
root to login after any number of failed logins.

Version-Release number of selected component (if applicable):

pam-0.99.6.2-3.14.el5

How reproducible:

The following /etc/pam.d/login file will lock out all users, including root, 
after three failed login attempts.

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       required     pam_tally.so onerr=fail deny=3 audit
auth       include      system-auth
account    required     pam_nologin.so
account    required     pam_tally.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

Steps to Reproduce:
1.
2.
3.
  
Actual results:
All users, including root, are locked out after 3+ consecutive failed login 
attempts.

Expected results:
Root should not be locked out, even after 3+ consecutive failed login attempts.

Additional info:
Removing the "audit" option will give the expected results.
Comment 1 Tomas Mraz 2007-10-11 21:02:39 UTC 
Yes, audit option erroneously activates the even_deny_root option.
Comment 2 Stéphane BERTIN 2007-10-18 14:40:38 UTC 
With same version of PAM pam-0.99.6.2-3.14.el5 I have different comportment.

I use following lines in my system-auth :
auth        sufficient    /lib64/security/pam_unix.so try_first_pass likeauth
md5 shadow
auth        required      /lib64/security/pam_tally.so onerr=fail deny=3
auth        required      /lib64/security/pam_deny.so

account     required      /lib64/security/pam_tally.so
account     sufficient    /lib64/security/pam_unix.so
account     required      /lib64/security/pam_deny.so

Failled account increase counter like this :
[root@home /tmp]# faillog -a
Login       Failures Maximum Latest                   On
toto       5        0   10/18/07 13:30:23 +0000  pts/1
[root@home /tmp]# pam_tally
User toto  (500)   has 5

But I can still logging in ! do su ...

Same problem as in following email :
http://www.redhat.com/archives/rhelv5-list/2007-July/msg00224.html

I also tried option audit with pam_tally but it didn't lock out any account !!

Can you confirm this BUG ?
Remark : on RHEL4.2 pam_tally function correctly.
Comment 3 Tomas Mraz 2007-10-18 16:31:03 UTC 
(In reply to comment #2)
> With same version of PAM pam-0.99.6.2-3.14.el5 I have different comportment.
> 
> I use following lines in my system-auth :
> auth        sufficient    /lib64/security/pam_unix.so try_first_pass likeauth
> md5 shadow
> auth        required      /lib64/security/pam_tally.so onerr=fail deny=3
> auth        required      /lib64/security/pam_deny.so
> 
> account     required      /lib64/security/pam_tally.so
> account     sufficient    /lib64/security/pam_unix.so
> account     required      /lib64/security/pam_deny.so

This is bad configuration.
pam_tally must be placed before pam_unix in the auth section.
Also it is completely unnecessary to put full path to module into the config file.
Comment 4 Stéphane BERTIN 2007-10-19 08:04:38 UTC 
Effectively, it was a stupid mistake due to "sufficient" in control field.

Thank you.
Comment 5 RHEL Program Management 2007-10-19 20:25:09 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 errata-xmlrpc 2008-05-21 17:27:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0336.html