Bug 74254

Summary: root account is never locked out by pam_tally
Product: [Retired] Red Hat Linux Reporter: Steve Fox <steve>
Component: pamAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: Jay Turner <jturner>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: kmaraas, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: even_deny_root_account not recognized by pam_tally
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-22 15:14:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Fox 2002-09-18 19:21:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809

Description of problem:
The pam_tally docs say that using even_deny_root_account should lock the root
account even the invalid password attempt is greater than the set deny limit.
This parameter shows up as an unknown option in /var/log/messages

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Edit /etc/pam.d/system-auth to include these lines:

auth        required      /lib/security/pam_securetty.so
auth        required      /lib/security/pam_nologin.so
auth        required      /lib/security/pam_shells.so
auth        required      /lib/security/pam_pwdb.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
even_deny_root_account

account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root

2. Try to log in as root from either a 'su' or from the console 6 or more times
with an invalid password.

3. Try logging in again using the proper password. It works?
	

Actual Results:  I was able to log in even though the root account should have
been locked out.

Expected Results:  root should not be able to log in.

Additional info:

/var/log/messages shows:

Sep 18 11:06:45 iiosb su(pam_unix)[520]: authentication failure;
logname=drfickle uid=506 euid=0 tty= ruser=drfickle rhost=  user=drfickle
Sep 18 11:06:47 iiosb pam_tally[520]: pam_tally: unknown option;
even_deny_root_account

pam-0.75-40
Comment 1 Kjartan Maraas 2003-04-03 08:50:36 UTC 
Have you tried the latest pam errata? Does that behave similarly?
Comment 2 Steve Fox 2003-04-22 15:14:05 UTC 
It looks like this was a PEBCAK issue. I must have misinterpreted the
documentation. I am now using pam-0.75-46.8.0 and it is working proper.

Here are the relevant sections of /etc/pam.d/system-auth

auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
                                                                               
                                             
account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root
even_deny_root_account
account     required      /lib/security/pam_unix.so

I had put even_deny_root_account in the auth section instead of account. Using
the above configuration it works as expected.

Thanks.