Bug 985371

Summary: Default configuration file can make machine inaccessible
Product: [Fedora] Fedora Reporter: Petr Tuma <petr.tuma>
Component: pam_ablAssignee: Eric Smith <spacewar>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: alex, spacewar, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam_abl-0.6.0-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-01 01:52:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Tuma 2013-07-17 11:09:12 UTC
Description of problem:

In the current pam_abl package (0.5.0-2.fc19), the /etc/security/pam_abl.conf file whitelists users danta and chris and hosts 1.1.1.* and 2.1.1.1 (which is probably a wrong default too but not seriously so).

In the previous pam_abl package (0.2.3-11.fc18), there was no whitelist, but the root user was excluded from the default user rule.

As a result, simple upgrade of pam_abl between Fedora 18 and Fedora 19, with pam_abl enabled in the PAM configuration files, will result in a machine that does not have root excluded from user login block. When somebody tries to guess the root account password, the attempt triggers the auto block and thus makes it impossible for legitimate root to log in.

The default configuration file should be innocent enough to prevent this from happening. One possible change is to remove the host whitelist line and specify root (only) in the user whitelist line.

Version-Release number of selected component (if applicable):

pam_abl 0.5.0-2

How reproducible:

Always. Especially when upgrading from Fedora 18 to Fedora 19. In Fedora 18, the default config file was reasonable and therefore did not need changing. Upgrade will silently overwrite the config file with a new one with different (and not reasonable) defaults.

Steps to Reproduce:
1. Install pam_abl.
2. Add pam_abl to PAM configuration.
3. Try logging in as root with wrong password several times.

Actual results:

Root user gets blocked from accessing the machine at all.

Expected results:

Root user should be whitelisted (as it was in past versions of pam_abl).

Additional info:

There seem to be other issues with pam_abl under Fedora 19, the underlying database backend sometimes complains about multiple open databases, but that error is not easily reproducible.

Comment 1 Eric Smith 2013-07-20 23:22:31 UTC
Sorry, I didn't notice that because I don't use a default configuration.  I'll build a new package with the old default configuration.

Comment 2 Fedora Update System 2013-09-21 16:36:09 UTC
pam_abl-0.6.0-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/pam_abl-0.6.0-2.fc20

Comment 3 Fedora Update System 2013-09-21 16:42:49 UTC
pam_abl-0.6.0-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/pam_abl-0.6.0-2.fc19

Comment 4 Fedora Update System 2013-09-21 19:41:15 UTC
Package pam_abl-0.6.0-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_abl-0.6.0-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17342/pam_abl-0.6.0-2.fc20
then log in and leave karma (feedback).

Comment 5 Petr Tuma 2013-09-22 17:10:42 UTC
Apparently fixed, the config file now looks reasonable.

Thank you ! Petr

Comment 6 Fedora Update System 2013-10-01 01:52:52 UTC
pam_abl-0.6.0-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-10-01 02:04:26 UTC
pam_abl-0.6.0-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.