Bug 1618429
| Summary: | pam_faillock does not record fail lock attempts for users with UID less than 1000 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrick Dung <patdung100+redhat> | ||||||
| Component: | authconfig | Assignee: | Pavel Březina <pbrezina> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | Filip Dvorak <fdvorak> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.5 | CC: | cilmar, pkis, rbsparihar6, tmraz | ||||||
| Target Milestone: | rc | Keywords: | Reopened | ||||||
| Target Release: | --- | Flags: | cilmar:
needinfo-
|
||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2020-03-10 16:13:54 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Patrick Dung
2018-08-16 15:40:05 UTC
After OS is installed, the faillock is enabled by: # authconfig --enablefaillock --faillockargs="deny=2 fail_interval=99999 unlock_time=0" --update Below is a diff of the original pam.d and the pam.d after the authconfig is run. # diff --no-dereference -u pam.d.orig pam.d diff --no-dereference -u pam.d.orig/fingerprint-auth-ac pam.d/fingerprint-auth-ac --- pam.d.orig/fingerprint-auth-ac 2018-07-02 22:54:46.359968708 +0800 +++ pam.d/fingerprint-auth-ac 2018-08-16 23:19:28.505729541 +0800 @@ -2,9 +2,12 @@ # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so +auth required pam_faillock.so preauth silent deny=2 fail_interval=99999 unlock_time=0 auth sufficient pam_fprintd.so +auth required pam_faillock.so authfail deny=2 fail_interval=99999 unlock_time=0 auth required pam_deny.so +account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet diff --no-dereference -u pam.d.orig/password-auth-ac pam.d/password-auth-ac --- pam.d.orig/password-auth-ac 2018-07-02 22:54:46.351968708 +0800 +++ pam.d/password-auth-ac 2018-08-16 23:19:28.490729542 +0800 @@ -3,10 +3,12 @@ # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent deny=2 fail_interval=99999 unlock_time=0 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so +account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet @@ -15,6 +17,7 @@ password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok +auth required pam_faillock.so authfail deny=2 fail_interval=99999 unlock_time=0 password required pam_deny.so diff --no-dereference -u pam.d.orig/smartcard-auth-ac pam.d/smartcard-auth-ac --- pam.d.orig/smartcard-auth-ac 2018-07-02 22:54:46.366968708 +0800 +++ pam.d/smartcard-auth-ac 2018-08-16 23:19:28.523729540 +0800 @@ -2,9 +2,12 @@ # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so +auth required pam_faillock.so preauth silent deny=2 fail_interval=99999 unlock_time=0 auth [success=done ignore=ignore default=die] pam_pkcs11.so nodebug wait_for_card +auth required pam_faillock.so authfail deny=2 fail_interval=99999 unlock_time=0 auth required pam_deny.so +account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet diff --no-dereference -u pam.d.orig/system-auth-ac pam.d/system-auth-ac --- pam.d.orig/system-auth-ac 2018-07-02 22:54:46.333968710 +0800 +++ pam.d/system-auth-ac 2018-08-16 23:19:28.460729544 +0800 @@ -3,10 +3,13 @@ # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 +auth required pam_faillock.so preauth silent deny=2 fail_interval=99999 unlock_time=0 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success +auth required pam_faillock.so authfail deny=2 fail_interval=99999 unlock_time=0 auth required pam_deny.so +account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet Created attachment 1476445 [details]
The files for /etc/pam.d, after authconfig is run to enable faillock.
Accounts like postgres and mysql are setup under UID < 1000. Failed password login attempt would not be recorded. This looks like authconfig bug. The auth required pam_faillock.so authfail deny=2 fail_interval=99999 unlock_time=0 is at completely wrong place in password-auth-ac. And even in system-auth-ac it is placed after the auth requisite pam_succeed_if.so uid >= 1000 quiet_success line, which causes this problem. Faillock support in authconfig does not work correctly, there is a bug: https://bugzilla.redhat.com/show_bug.cgi?id=1485490 This does not really seem tot be a duplicate though. I'm proposing this to 7.7 as we are out of scope for 7.6. Authconfig has been replaced by Authselect in RHEL8 therefore only critical issues that have no workaround available will be fixed. Closing as won't fix. Please help if its their any work around for rhel7.5 ?faillock is not working . current configuration: [root@node1 ~]# vi /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=100 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail deny=4 unlock_time=100 auth required pam_faillock.so authsucc deny=4 unlock_time=100 auth requisite pam_succeed_if.so uid >= 1000 quiet_success #auth required pam_faillock.so authfail deny=4 unlock_time=100 auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=8 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so =============================================== [root@node1 ~]# vi /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=100 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail deny=4 unlock_time=100 auth required pam_faillock.so authsucc deny=4 unlock_time=100 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=8 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok auth required pam_faillock.so authfail deny=4 unlock_time=100 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Rb, to workaround it you need to change your auth section like this: For system-auth: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=100 auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail deny=4 unlock_time=100 auth required pam_deny.so For password-auth: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=100 auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail deny=4 unlock_time=100 auth required pam_deny.so Created attachment 1657917 [details]
All pam directory
|