Bug 161573 - When pam_tally is used, a valid authentication through sudo still generates a failed login for faillog
When pam_tally is used, a valid authentication through sudo still generates a...
Status: CLOSED DUPLICATE of bug 144893
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sudo (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-24 11:34 EDT by Shawn M. Jones
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-12 05:21:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Shawn M. Jones 2005-06-24 11:34:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050523 CentOS/1.0.4-1.4.1.centos4 Firefox/1.0.4

Description of problem:
When the following lines are placed at the beginning of /etc/pam.d/system-auth:
auth        required      /lib/security/$ISA/pam_tally.so no_magic_root
account     required      /lib/security/$ISA/pam_tally.so no_magic_root deny=3

any valid password exchange via sudo still generates a failed login message in /var/log/messages

Jun 24 11:13:49 ids-atf sudo(pam_unix)[14651]: authentication failure; logname=smjones uid=0 euid=0 tty=pts/0 ruser= rhost=  user=smjones

And faillog generates the following output:
Username   Failures  Maximum  Latest
smjones           1        0  Fri Jun 24 11:13:46 -0400 2005 on pts/0

The command issued to sudo DOES execute successfully.

All of this occurs only when the user is asked to type their password for sudo.  Subsequent uses of sudo do not generate more authentication failures until the password information times out.

Version-Release number of selected component (if applicable):
sudo-1.6.7p5-30.1

How reproducible:
Always

Steps to Reproduce:
1.  Place the lines
auth        required      /lib/security/$ISA/pam_tally.so no_magic_root
account     required      /lib/security/$ISA/pam_tally.so no_magic_root deny=3

at the top of /etc/pam.d/system-auth

2.  Create the file /var/log/faillog.

3.  Logged in as a user that is configured in /etc/sudoers to use commands via sudo, execute a command like so:
# sudo ls

4.  Type in your valid password and watch the command successfully execute.

5.  Check /var/log/messages and note an entry like the following:

Jun 24 11:13:49 ids-atf sudo(pam_unix)[14651]: authentication failure; logname=smjones uid=0 euid=0 tty=pts/0 ruser= rhost=  user=smjones

6.  Run the faillog command and note output like the following:

Username   Failures  Maximum  Latest
smjones           1        0  Fri Jun 24 11:13:46 -0400 2005 on pts/0

7.  If the end user executes enough commands validly with sudo, pam_tally will prevent them from logging in.

Actual Results:  An authentication failure is logged by either pam or sudo when sudo successfully and correctly authenticates the user.  Enough uses of sudo will make pam_tally effectively lock the account out until the faillog is cleared.

After authenticating via sudo, /var/log/messages contains a message liek the following:

Jun 24 11:13:49 ids-atf sudo(pam_unix)[14651]: authentication failure; logname=smjones uid=0 euid=0 tty=pts/0 ruser= rhost=  user=smjones

Also, the faillog command generates output like the following:

Username   Failures  Maximum  Latest
smjones           1        0  Fri Jun 24 11:13:46 -0400 2005 on pts/0

Expected Results:  A successful and correct authentication via sudo should not generate an authentication failure via pam.  The user should not be put into the faillog.

Additional info:
Comment 1 Shawn M. Jones 2005-06-24 11:36:05 EDT
Oh, also, pam's version is as follows:
pam-0.77-66.5
Comment 2 Karel Zak 2005-07-12 05:21:08 EDT

*** This bug has been marked as a duplicate of 144893 ***

Note You need to log in before you can comment on or make changes to this bug.