Bug 678653

Summary: pam_tally reset counter not working correctly
Product: Red Hat Enterprise Linux 6 Reporter: kent lamb <klamb>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-18 19:36:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description kent lamb 2011-02-18 19:31:21 UTC 
Description of problem:

failed login counter is not cleared upon successful login

Version-Release number of selected component (if applicable):
rhel6

rpm -qa  |grep pam
gnome-keyring-pam-2.28.2-6.el6.x86_64
pam_ssh_agent_auth-0.9-20.el6_0.3.x86_64
pam-1.1.1-4.el6_0.1.x86_64
pam-devel-1.1.1-4.el6_0.1.x86_64
pam_krb5-2.3.11-1.el6.x86_64
pam_passwdqc-1.0.5-6.el6.x86_64
nss-pam-ldapd-0.7.5-3.el6.x86_64
pam_ldap-185-5.el6.x86_64
pam_pkcs11-0.6.2-10.el6.x86_64
fprintd-pam-0.1-19.git04fd09cfa.el6.x86_64

How reproducible:
every time

Steps to Reproduce:
1.set pam_tally in /etc/pam.d/system-auth:
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_tally2.so deny=5 audit unlock_time=60
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so 

account     required      pam_unix.so
account     required      pam_tally2.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_passwdqc.so min=disabled,disabled,disabled,12,12 passphrase=0 similar=permit match=0 
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=24
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.

2. su - testuser with bad password a few times.  su - testuser with correct password and authenticate.  then su - testuser with bad password again. The testuser account will lock out based on the total number of incorrect logins since the beginning of the test, not since correct login.

  
Actual results:


Expected results:
tallylog to count from last good login, not since beginning/ last cleared

Additional info:
my test:
I built a test login and over 15 minutes, i failed to authenticate 6 times so the account locked.  What is interesting - and incorrect-  is that in that time frame between the incorrect login I did successfully login several times, so the pam_tally2 counter should have been reset.

Basically, my pattern was this:

su - test 
bad password 

su - test
bad password

su - test
correct password and successful login

su -test
bad password

su -test 
correct password and successful login

su - test
bad password

su - test
bad password

su - test
correct password and successful login

su -test
bad password 
account locked for 15 minutes.

--------------------------

after this, when the lockout time expires, the tallylog still shows the 6 bad, so I get this:

su - test
correct password and successful login

su - test
bad password

su - test
bad password
Account locked due to 8 failed logins
Comment 1 kent lamb 2011-02-18 19:36:03 UTC 
just found 476219