Bug 1583146 - SSH public key authentication resets failllock counter of a locked user on RHEL-7
Summary: SSH public key authentication resets failllock counter of a locked user on RH...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pam
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-28 10:08 UTC by Vinay Mishra
Modified: 2018-05-28 11:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-28 11:26:38 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Vinay Mishra 2018-05-28 10:08:37 UTC
Summary: SSH public key authentication resets failllock counter of a locked user on RHEL-7

Description of problem:
SSH public key authentication resets failllock counter of a locked user on RHEL-7

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 7.4

How reproducible:

Steps to Reproduce:

1) Setup a system with "pam_faillock" module to lockout user after invalid logins.

# cat /etc/pam.d/password-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=1000000
auth        required      pam_faillock.so preauth silent deny=3 fail_interval=900 unlock_time=600
auth        sufficient    pam_unix.so nullok try_first_pass
#auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=600
auth [success=1 default=ignore] pam_localuser.so
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so no_pass_expiry
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    required    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password   sufficient    pam_sss.so use_authtok
password    sufficient   pam_rootok.so
password    required    pam_echo.so file=/opt/cntdb/data/onends_password_change_deny_msg
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_umask.so umask=0027
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0027
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     [success=1 default=ignore] pam_localuser.so
session     optional      pam_sss.so

2) Now ssh from another system with invalid attempts, user gets locked:

$ ssh testuser@Server1
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

# faillock --user testuser
When                Type  Source                                           Valid
2018-05-16 17:36:22 RHOST                                          V
2018-05-16 17:36:24 RHOST                                          V
2018-05-16 17:36:28 RHOST                                          V

3) Now authenticate same user using public key from another host, the faillock counter is cleared and user lockout is removed.

# ssh testuser@Server1
Last failed login: Wed May 16 17:36:29 IST 2018 from on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Wed May 16 17:35:04 2018 from

# faillock --user testuser
When                Type  Source                                           Valid

Actual results:
Faillock counts are cleared with ssh public key authentication.
Expected results:
Faillock counts should not be cleared with ssh public key authentication.

Additional info:
Why does faillock counter is reset? This is not noticed with pam_tally2 on RHEL-6.

Comment 2 Tomas Mraz 2018-05-28 11:26:38 UTC
This works as designed. The faillock counter is reset in the account stack by the:

account     required      pam_faillock.so

There is another example in the pam_faillock manual page which does not put the pam_faillock into the account stack. If PAM is configured according to this example, it will work fine (in the sense that the faillock entries will not be reset) in regards to the SSH public key authentication.

Note You need to log in before you can comment on or make changes to this bug.