Hide Forgot
Summary: SSH public key authentication resets failllock counter of a locked user on RHEL-7 Description of problem: SSH public key authentication resets failllock counter of a locked user on RHEL-7 Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 7.4 pam-1.1.8-18.el7.x86_64 How reproducible: Always Steps to Reproduce: 1) Setup a system with "pam_faillock" module to lockout user after invalid logins. Server1 ----------------- # cat /etc/pam.d/password-auth auth required pam_env.so auth required pam_faildelay.so delay=1000000 auth required pam_faillock.so preauth silent deny=3 fail_interval=900 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass #auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=600 auth [success=1 default=ignore] pam_localuser.so auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so no_pass_expiry account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password required pam_unix.so sha512 shadow nullok try_first_pass use_authtok #password sufficient pam_sss.so use_authtok password sufficient pam_rootok.so password required pam_echo.so file=/opt/cntdb/data/onends_password_change_deny_msg password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_umask.so umask=0027 -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0027 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session [success=1 default=ignore] pam_localuser.so session optional pam_sss.so --------------- 2) Now ssh from another system with invalid attempts, user gets locked: System1 ------------------ $ ssh testuser@Server1 Password: Password: Password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive). Server1 ----------------- # faillock --user testuser testuser: When Type Source Valid 2018-05-16 17:36:22 RHOST 10.76.1.137 V 2018-05-16 17:36:24 RHOST 10.76.1.137 V 2018-05-16 17:36:28 RHOST 10.76.1.137 V 3) Now authenticate same user using public key from another host, the faillock counter is cleared and user lockout is removed. System2 ------------------ # ssh testuser@Server1 Last failed login: Wed May 16 17:36:29 IST 2018 from 10.76.1.137 on ssh:notty There were 3 failed login attempts since the last successful login. Last login: Wed May 16 17:35:04 2018 from 10.74.133.178 Type:QuickVM:BaseOS $ Server1 ----------------- # faillock --user testuser testuser: When Type Source Valid Actual results: Faillock counts are cleared with ssh public key authentication. Expected results: Faillock counts should not be cleared with ssh public key authentication. Additional info: Why does faillock counter is reset? This is not noticed with pam_tally2 on RHEL-6.
This works as designed. The faillock counter is reset in the account stack by the: account required pam_faillock.so There is another example in the pam_faillock manual page which does not put the pam_faillock into the account stack. If PAM is configured according to this example, it will work fine (in the sense that the faillock entries will not be reset) in regards to the SSH public key authentication.