Bug 1148042 - [RFE] pam_faillock: Allow argument of 'unlock_time' option to have a meaning of lock the account forever / till manual intervention from system administrator
Summary: [RFE] pam_faillock: Allow argument of 'unlock_time' option to have a meaning ...
Keywords:
Status: CLOSED DUPLICATE of bug 1273373
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam
Version: 7.2
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL: https://github.com/OpenSCAP/scap-secu...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-30 14:53 UTC by Jan Lieskovsky
Modified: 2015-12-14 09:52 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-14 09:52:14 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2014-09-30 14:53:15 UTC
Description of problem:

This issue has been raised within:
  https://github.com/OpenSCAP/scap-security-guide/issues/135#issuecomment-57103951

when trying to implement RHEL7 STIG: CCI-002238 rule. pam_faillock PAM module has option 'unlock_time' to specify how long time (in seconds) the account in question should be locked, till it's unlocked again. The maximum / upper border of allowed time specification is one week --

rpmbuild/BUILD/Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c:

  70 #define MAX_TIME_INTERVAL 604800 /* 7 days */

Since RHEL7 STIG: CCI-002238 requires the account to be locked till manually unlocked by system administrator, it's not possible (right now) to implement this rule via pam_faillock module.

Therefore it would be nice if some special value (e.g. zero / 0) would be also accepted to instruct pam_faillock that the account in question shouldn't be unlocked till not performed manually by administrator.

Version-Release number of selected component (if applicable):
pam-1.1.8-9.el7

How reproducible:
Always

Steps to Reproduce:
1. Use pam_faillock and try to configure it to require account not to be unlocked till explicitly manually done by system administrator

Actual results:
Maximum allowed value is '604800', e.g. one week.

Expected results:
Maximum allowed value should be "forever" (till not unlocked by sysadmin).

Additional info:
Maybe the value of zero(0) could be used for this case for the case of user account of unprivileged user. This option / value should be forbidden for privileged / root account case.

Comment 3 redigd 2015-12-11 19:42:22 UTC
I need to second this request.  It is a total show stopper for my company.  We have tried to drop back to pam_tally2 but are having issues with systemd/polkit/X/gdm integration issues.

Comment 4 Tomas Mraz 2015-12-14 09:52:14 UTC

*** This bug has been marked as a duplicate of bug 1273373 ***


Note You need to log in before you can comment on or make changes to this bug.