Bug 799346

Summary: pam_tally2 lacks ability to prevent accounts from being locked
Product: Red Hat Enterprise Linux 6 Reporter: Terry Bowling <tbowling>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 6.1CC: dapospis, pep
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-24 14:21:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 782183, 835616    

Description Terry Bowling 2012-03-02 14:44:34 UTC 
Description of problem:

With pam_tally2, the faillog command has been deprecated and removed.  However, pam_tally2 and faillock commands lack the ability to PREVENT select accounts from becoming locked after the failed password limit has been reached.

Version-Release number of selected component (if applicable):

faillog command appears to be removed in:
RHEL 6.1, RHEL 5.8, Fedora ?
pam-1.1.1-8.el6.src.rpm
Errata RHBA-2011:0685-1
BZ 675168

How reproducible:

Add the following lines to the appropriate order in /etc/pam.d/system-auth and /etc/pam.d/login files
	auth        required      pam_tally2.so deny=3 onerr=fail
	account     required      pam_tally2.so

After 3 failed login attempts the local account will be correctly locked.  However, there is no method to prevent select local accounts from being excluded from this rule.


Previously, one could use the faillog -m -1 --user USERNAME to prevent select accounts from becoming locked.  With faillog removed, this functionality is no longer available.
Comment 1 Terry Bowling 2012-03-02 14:48:05 UTC 
Strategic TAM customer has brought this to our attention as it significantly impacts their Security and Audit processes.

A Google search for (pam_tally2 prevent lockout) will provide multiple links of others running into this issue as well.
Comment 2 Tomas Mraz 2012-03-02 14:57:48 UTC 
You can at least do it by skipping over the pam_tally2 module for the user with pam_succeed_if.so or pam_listfile.so module - such as:

auth        [success=1 default=ignore] pam_succeed_if.so user in u1:u2:u3
auth        required      pam_tally2.so deny=3 onerr=fail
Comment 3 Terry Bowling 2012-03-02 18:10:10 UTC 
I have requested the customer to evaluate and test the following options to ensure that it continues to evaluate the pam_ldap requirements as well.

I am not sure it will pass their audit requirements as it is bypassing pam_tally2 and therefore not incrementing failed attempts.  We will see how the customer responds.  Thanks for your feedback.

   1.  add these local accounts to a local group (slm_local_exclusions)
	auth        [success=1 default=ignore] pam_succeed_if.so user ingroup slm_local_exclusions

   2.  add user,host combination to a netgroup (slm_local_exclusions)
	auth        [success=1 default=ignore] pam_succeed_if.so user innetgr slm_local_exclusions

   3.  use a file containing a list of users, one per line:  /etc/pam.d/slm_local_exclusions
	auth        [success=1 default=ignore]  pam_listfile.so item=user sense=allow file=/etc/pam.d/slm_local_exclusions
Comment 7 RHEL Program Management 2012-12-14 06:47:26 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 9 Siddharth Nagar 2013-04-24 14:21:48 UTC 
We have a workaround for this. Please re-validate this and re-open if necessary.