Bug 60930
Summary: | pam_tally lets you brute force password while account is locked out | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Andreas Hansson <andreas-bugzilla> | ||||||||
Component: | pam | Assignee: | Tomas Mraz <t8m> | ||||||||
Status: | CLOSED UPSTREAM | QA Contact: | Aaron Brown <abrown> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | 7.1 | CC: | george.brown, kmaraas | ||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | i586 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2005-01-07 15:18:00 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Andreas Hansson
2002-03-09 13:57:49 UTC
Has this changed in later releases? Should security bugs like this not be hidden? Created attachment 104015 [details]
Proposed patch
This patch solves the issue by moving the tally checking
functionality to the auth group. However it's necessary to update the pam
configuration by moving the required options (as deny=N) to the auth group.
Also note that when it seems that it doesn't work as expected check if the
pam_tally module is called/not called on both auth and account groups.
For example su on Fedora Core effectively skips the pam_tally for root
because pam_rootok is first module called in auth group and has sufficient
as control value. This will imbalance the calls to the pam_tally module.
To rebalance it you need to put an 'pam_succeed_if.so uid eq 0 use_uid quiet'
as the first module for su in account group.
Created attachment 104062 [details]
Even better patch
This patch even fixes the fail_locktime problem.
*** Bug 75374 has been marked as a duplicate of this bug. *** Fixed in upstream CVS Created attachment 109471 [details]
Patch applied to upstream
|