RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1886659 - ssh public key authentication bypass faillock (RHEL 8.2)
Summary: ssh public key authentication bypass faillock (RHEL 8.2)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pam
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Iker Pedrosa
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-09 04:57 UTC by Kappa
Modified: 2020-10-15 10:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-15 10:33:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Kappa 2020-10-09 04:57:55 UTC
Description of problem:

According to BZ 1583146, there are two examples in the manual page that pam_faillock is not in the account stack.

The server was originally configured by auth-select select sssd with-sudo with-faillock'. Then I update /etc/pam.d/password-auth as below. But the ssh public key authentication still login the account and resetting the faillock status of the account.

auth        required                                     pam_env.so
#auth        required                                     pam_faildelay.so delay=2000000
#auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
#auth        sufficient                                   pam_unix.so  try_first_pass
auth     [success=1 default=bad] pam_unix.so try_first_pass
auth     [default=die]  pam_faillock.so authfail
auth     sufficient     pam_faillock.so authsucc
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
#auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200
auth        required                                     pam_deny.so

#account     required                                     pam_faillock.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Version-Release number of selected component (if applicable):
8.2

Comment 1 Tomas Mraz 2020-10-09 06:53:49 UTC
With your configuration above the reset should not really happen on public key authentication. Are you really sure that the configuration was properly applied? I.E. I would recommend restarting sshd before testing it (although that strictly speaking it should not be needed as the configuration is freshly loaded for new authentication sessions).

Comment 2 Kappa 2020-10-09 09:53:03 UTC
I had test with restarting the OpenSSH service and the result is the same. Here's some log:

Oct  9 17:41:47 ipa4 root[79753]: # Generated by authselect on Fri Oct  9 12:13:40 2020
Oct  9 17:41:47 ipa4 root[79753]: # Do not modify this file manually.
Oct  9 17:41:47 ipa4 root[79753]:
Oct  9 17:41:47 ipa4 root[79753]: auth        required                                     pam_env.so
Oct  9 17:41:47 ipa4 root[79753]: #auth        required                                     pam_faildelay.so delay=2000000
Oct  9 17:41:47 ipa4 root[79753]: #auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200
Oct  9 17:41:47 ipa4 root[79753]: auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
Oct  9 17:41:47 ipa4 root[79753]: auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
Oct  9 17:41:47 ipa4 root[79753]: #auth        sufficient                                   pam_unix.so  try_first_pass
Oct  9 17:41:47 ipa4 root[79753]: auth     [success=1 default=bad] pam_unix.so try_first_pass
Oct  9 17:41:47 ipa4 root[79753]: auth     [default=die]  pam_faillock.so authfail
Oct  9 17:41:47 ipa4 root[79753]: auth     sufficient     pam_faillock.so authsucc
Oct  9 17:41:47 ipa4 root[79753]: auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
Oct  9 17:41:47 ipa4 root[79753]: auth        sufficient                                   pam_sss.so forward_pass
Oct  9 17:41:47 ipa4 root[79753]: #auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200
Oct  9 17:41:47 ipa4 root[79753]: auth        required                                     pam_deny.so
Oct  9 17:41:47 ipa4 root[79753]:
Oct  9 17:41:47 ipa4 root[79753]: #account     required                                     pam_faillock.so
Oct  9 17:41:47 ipa4 root[79753]: account     required                                     pam_unix.so
Oct  9 17:41:47 ipa4 root[79753]: account     sufficient                                   pam_localuser.so
Oct  9 17:41:47 ipa4 root[79753]: account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
Oct  9 17:41:47 ipa4 root[79753]: account     [default=bad success=ok user_unknown=ignore] pam_sss.so
Oct  9 17:41:47 ipa4 root[79753]: account     required                                     pam_permit.so
Oct  9 17:41:47 ipa4 root[79753]:
Oct  9 17:41:47 ipa4 root[79753]: password    requisite                                    pam_pwquality.so try_first_pass local_users_only
Oct  9 17:41:47 ipa4 root[79753]: password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok
Oct  9 17:41:47 ipa4 root[79753]: password    sufficient                                   pam_sss.so use_authtok
Oct  9 17:41:47 ipa4 root[79753]: password    required                                     pam_deny.so
Oct  9 17:41:47 ipa4 root[79753]:
Oct  9 17:41:47 ipa4 root[79753]: session     optional                                     pam_keyinit.so revoke
Oct  9 17:41:47 ipa4 root[79753]: session     required                                     pam_limits.so
Oct  9 17:41:47 ipa4 root[79753]: -session    optional                                     pam_systemd.so
Oct  9 17:41:47 ipa4 root[79753]: session     optional                                     pam_oddjob_mkhomedir.so umask=0077
Oct  9 17:41:47 ipa4 root[79753]: session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
Oct  9 17:41:47 ipa4 root[79753]: session     required                                     pam_unix.so
Oct  9 17:41:47 ipa4 root[79753]: session     optional                                     pam_sss.so
Oct  9 17:42:02 ipa4 systemd[1]: Stopping OpenSSH server daemon...
Oct  9 17:42:02 ipa4 systemd[1]: Starting system activity accounting tool...
Oct  9 17:42:02 ipa4 systemd[1]: Stopped OpenSSH server daemon.
Oct  9 17:42:02 ipa4 systemd[1]: Stopped target sshd-keygen.target.
Oct  9 17:42:02 ipa4 systemd[1]: Stopping sshd-keygen.target.
Oct  9 17:42:02 ipa4 systemd[1]: Reached target sshd-keygen.target.
Oct  9 17:42:02 ipa4 systemd[1]: Starting OpenSSH server daemon...
Oct  9 17:42:02 ipa4 systemd[1]: Started OpenSSH server daemon.
Oct  9 17:42:02 ipa4 systemd[1]: Started system activity accounting tool.
Oct  9 17:43:01 ipa4 systemd[1]: Starting system activity accounting tool...
Oct  9 17:43:01 ipa4 systemd[1]: Started system activity accounting tool.
Oct  9 17:43:25 ipa4 root[79802]: root:
Oct  9 17:43:25 ipa4 root[79802]: When                Type  Source                                           Valid
Oct  9 17:43:25 ipa4 root[79802]: testaccount:
Oct  9 17:43:25 ipa4 root[79802]: When                Type  Source                                           Valid
Oct  9 17:43:25 ipa4 root[79802]: 2020-10-09 17:41:08 RHOST 10.0.0.1                                        V
Oct  9 17:43:25 ipa4 root[79802]: 2020-10-09 17:42:21 RHOST 10.0.0.1                                        V
Oct  9 17:43:25 ipa4 root[79802]: 2020-10-09 17:42:25 RHOST 10.0.0.1                                        V


Oct  9 17:42:02 ipa4 sshd[1083]: Received signal 15; terminating.
Oct  9 17:42:02 ipa4 sshd[79762]: Server listening on 0.0.0.0 port 22.
Oct  9 17:42:02 ipa4 sshd[79762]: Server listening on :: port 22.
Oct  9 17:42:17 ipa4 sshd[79740]: Connection closed by authenticating user testaccount 10.0.0.1 port 44304 [preauth]
Oct  9 17:42:21 ipa4 unix_chkpwd[79768]: password check failed for user (testaccount)
Oct  9 17:42:21 ipa4 sshd[79767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1  user=testaccount
Oct  9 17:42:23 ipa4 sshd[79765]: error: PAM: Authentication failure for testaccount from 10.0.0.1
Oct  9 17:42:24 ipa4 sshd[79765]: Connection closed by authenticating user testaccount 10.0.0.1 port 44942 [preauth]
Oct  9 17:42:25 ipa4 unix_chkpwd[79773]: password check failed for user (testaccount)
Oct  9 17:42:25 ipa4 sshd[79772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1  user=testaccount
Oct  9 17:42:25 ipa4 sshd[79772]: pam_faillock(sshd:auth): Consecutive login failures for user testaccount account temporarily locked
Oct  9 17:42:27 ipa4 sshd[79770]: error: PAM: Authentication failure for testaccount from 10.0.0.1
Oct  9 17:42:29 ipa4 sshd[79770]: Connection closed by authenticating user testaccount 10.0.0.1 port 44978 [preauth]
Oct  9 17:42:33 ipa4 unix_chkpwd[79779]: password check failed for user (testaccount)
Oct  9 17:42:33 ipa4 sshd[79778]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1  user=testaccount
Oct  9 17:42:35 ipa4 sshd[79776]: error: PAM: Authentication failure for testaccount from 10.0.0.1
Oct  9 17:42:35 ipa4 sshd[79776]: Connection closed by authenticating user testaccount 10.0.0.1 port 45020 [preauth]
Oct  9 17:42:59 ipa4 unix_chkpwd[79784]: password check failed for user (testaccount)
Oct  9 17:42:59 ipa4 sshd[79783]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1  user=testaccount
Oct  9 17:43:00 ipa4 sshd[79781]: error: PAM: Authentication failure for testaccount from 10.0.0.1
Oct  9 17:43:01 ipa4 sshd[79781]: Connection closed by authenticating user testaccount 10.0.0.1 port 45252 [preauth]
Oct  9 17:43:02 ipa4 unix_chkpwd[79791]: password check failed for user (testaccount)
Oct  9 17:43:02 ipa4 sshd[79790]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1  user=testaccount
Oct  9 17:43:04 ipa4 sshd[79788]: error: PAM: Authentication failure for testaccount from 10.0.0.1
Oct  9 17:43:04 ipa4 sshd[79788]: Connection closed by authenticating user testaccount 10.0.0.1 port 45278 [preauth]
Oct  9 17:43:09 ipa4 unix_chkpwd[79797]: password check failed for user (testaccount)
Oct  9 17:43:09 ipa4 sshd[79796]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.1  user=testaccount
Oct  9 17:43:11 ipa4 sshd[79794]: error: PAM: Authentication failure for testaccount from 10.0.0.1
Oct  9 17:43:35 ipa4 sshd[79806]: Accepted publickey for testaccount from 10.0.0.1 port 45576 ssh2: ED25519 SHA256:12345...........
Oct  9 17:43:35 ipa4 systemd[79812]: pam_unix(systemd-user:session): session opened for user testaccount by (uid=0)
Oct  9 17:43:35 ipa4 sshd[79806]: pam_unix(sshd:session): session opened for user testaccount by (uid=0)

Comment 3 Kappa 2020-10-09 09:53:53 UTC
For comment #1 and #2:

17:41 update pam config (/etc/pam.d/password-auth)
I had pipe the config to Syslog

During this period, attempt to login with wrong password in order to lock the account

17:42:25 the testaccount is locked

I did not manually reset the fail lock

17:43:35 login by ssh public key

Comment 4 Tomas Mraz 2020-10-09 10:08:59 UTC
The log does not show anything wrong. The login by ssh public key is not blocked by faillock. That is by design.

Comment 5 Kappa 2020-10-09 12:02:07 UTC
After I checked #1583146, I thought pam_faillock could lock down an account even public key authentication is configured.

So, is there other modules or methods for this specific use case?
I had searched the web and found below URL. But this is too technical for me.

https://support.hpe.com/hpesc/public/docDisplay?docId=mmr_kc-0114979

Comment 6 Iker Pedrosa 2020-10-15 08:04:39 UTC
Even if the account has been locked due to wrong password, this doesn't deny a user authentication when using ssh pubkeys. Moreover, this doesn't make any sense since the faillock method is there to prevent brute force attacks against a potentially weak user's password and pubkeys are not susceptible to this type of attacks.

If you want to lock an account for ssh pubkey authentication you can use: chage -E0 testuser

Comment 7 Kappa 2020-10-15 10:06:54 UTC
OK, I do not have more questions regarding this problem.
Thanks.

Comment 8 Iker Pedrosa 2020-10-15 10:33:45 UTC
Then, I'm closing it as won't fix.


Note You need to log in before you can comment on or make changes to this bug.