Bug 1011894 - pam_tally2.so increasing failure counter even when auth was
pam_tally2.so increasing failure counter even when auth was
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-09-25 06:56 EDT by Alexey Moiseev
Modified: 2013-09-25 07:08 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-25 07:08:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alexey Moiseev 2013-09-25 06:56:07 EDT
Description of problem:
pam_tally2 increasing failure counter even if login was successful.
So i case if I set deny=3 to sshd pam configuration I'll be able
to login via ssh only 3 times and then will got error the following
"Account locked due to 4 failed logins"

Version-Release number of selected component (if applicable):
Kernel: 2.6.32-279.el6.x86_64

How reproducible:
Create a new user and configure pam settings for sshd 
to deny after 3 fail logins. Them configure ssh to use
ChallengeResponseAuthentication. Use this user to connect
via ssh from other box.

Steps to Reproduce:
1. Create user username

2. Modify /etc/pam.d/sshd by adding following line: 
auth required pam_tally2.so deny=3 unlock_time=600 
instead of 
auth required pam_sepermit.so

3. Modify /etc/ssh/sshd_config set 
PasswordAuthentication yes 
ChallengeResponseAuthentication yes

4. Restart sshd by following command:
service sshd restart

5. Check counter status using command:
pam_tally2 -u username

6. Connect to rhel mashine using user
username: ssh username@<ip address>
and enter correct password.

7. Repeat step 5. 

8. Repeat Steps 6 and 7 4 times.

Actual results:
After step 7 we got failure counter increased by 1.
After step 8 (make 4 connections) you'll got the following error message:
"Account locked due to 4 failed logins"

Expected results:
Fail counter should not be increased on successful login. 

Additional info:
Comment 2 Tomas Mraz 2013-09-25 07:08:31 EDT
Add pam_tally2 also to the account as sshd does not call the pam_setcred in the same process as authentication.

Note You need to log in before you can comment on or make changes to this bug.