Bug 328281 - Pam_tally audit option is defective
Pam_tally audit option is defective
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-11 15:58 EDT by Isaac W.
Modified: 2008-05-21 13:27 EDT (History)
0 users

See Also:
Fixed In Version: RHBA-2008-0336
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 13:27:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Isaac W. 2007-10-11 15:58:38 EDT
Description of problem:

Using the "audit" option in pam_tally eliminates the ability to lock out non-
root users after a set number of failed logins while simultaneously allowing 
root to login after any number of failed logins.

Version-Release number of selected component (if applicable):

pam-0.99.6.2-3.14.el5

How reproducible:

The following /etc/pam.d/login file will lock out all users, including root, 
after three failed login attempts.

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       required     pam_tally.so onerr=fail deny=3 audit
auth       include      system-auth
account    required     pam_nologin.so
account    required     pam_tally.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

Steps to Reproduce:
1.
2.
3.
  
Actual results:
All users, including root, are locked out after 3+ consecutive failed login 
attempts.

Expected results:
Root should not be locked out, even after 3+ consecutive failed login attempts.

Additional info:
Removing the "audit" option will give the expected results.
Comment 1 Tomas Mraz 2007-10-11 17:02:39 EDT
Yes, audit option erroneously activates the even_deny_root option.
Comment 2 Stéphane BERTIN 2007-10-18 10:40:38 EDT
With same version of PAM pam-0.99.6.2-3.14.el5 I have different comportment.

I use following lines in my system-auth :
auth        sufficient    /lib64/security/pam_unix.so try_first_pass likeauth
md5 shadow
auth        required      /lib64/security/pam_tally.so onerr=fail deny=3
auth        required      /lib64/security/pam_deny.so

account     required      /lib64/security/pam_tally.so
account     sufficient    /lib64/security/pam_unix.so
account     required      /lib64/security/pam_deny.so

Failled account increase counter like this :
[root@home /tmp]# faillog -a
Login       Failures Maximum Latest                   On
toto       5        0   10/18/07 13:30:23 +0000  pts/1
[root@home /tmp]# pam_tally
User toto  (500)   has 5

But I can still logging in ! do su ...

Same problem as in following email :
http://www.redhat.com/archives/rhelv5-list/2007-July/msg00224.html

I also tried option audit with pam_tally but it didn't lock out any account !!

Can you confirm this BUG ?
Remark : on RHEL4.2 pam_tally function correctly.
Comment 3 Tomas Mraz 2007-10-18 12:31:03 EDT
(In reply to comment #2)
> With same version of PAM pam-0.99.6.2-3.14.el5 I have different comportment.
> 
> I use following lines in my system-auth :
> auth        sufficient    /lib64/security/pam_unix.so try_first_pass likeauth
> md5 shadow
> auth        required      /lib64/security/pam_tally.so onerr=fail deny=3
> auth        required      /lib64/security/pam_deny.so
> 
> account     required      /lib64/security/pam_tally.so
> account     sufficient    /lib64/security/pam_unix.so
> account     required      /lib64/security/pam_deny.so

This is bad configuration.
pam_tally must be placed before pam_unix in the auth section.
Also it is completely unnecessary to put full path to module into the config file.
Comment 4 Stéphane BERTIN 2007-10-19 04:04:38 EDT
Effectively, it was a stupid mistake due to "sufficient" in control field.

Thank you.
Comment 5 RHEL Product and Program Management 2007-10-19 16:25:09 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 errata-xmlrpc 2008-05-21 13:27:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0336.html

Note You need to log in before you can comment on or make changes to this bug.