Bug 476219 - pam tally needs to track per user failed attempts
pam tally needs to track per user failed attempts
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
high Severity medium
: rc
: ---
Assigned To: Tomas Mraz
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2008-12-12 10:33 EST by Steve Grubb
Modified: 2012-03-05 11:32 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-05 11:32:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pam_tally3 time-based account lockout threshold (52.20 KB, patch)
2010-05-04 14:49 EDT, Ed Sealing
no flags Details | Diff

  None (edit)
Description Steve Grubb 2008-12-12 10:33:00 EST
Description of problem:
pam_tally2 could not meet requirement AC-7 of the NSS-1253:

"The information system enforces a limit of consecutive invalid access
attempts [Assignment: organization-defined number, or a maximum of 3] by a
user during a [Assignment: organization-defined time period, or at least 15
minutes]. The information system automatically [Selection: locks the
account/node for an [Assignment: organization-defined time period at least
10 minutes], delays next login prompt according to [Assignment: organization
defined delay algorithm] when the maximum number of unsuccessful attempts is
exceeded. This control also applies to remote access logon attempts. "

The problem is that pam_tally2 does not keep track of the time duration that
a user has consecutive failed login attempts.
Comment 1 Ed Sealing 2010-05-04 14:49:01 EDT
Created attachment 411370 [details]
pam_tally3 time-based account lockout threshold

Implements pam_tally3.so module. This a feature addition to pam_tally2 which implements a time-based account lockout threshold. After a specified amount of time, the account counter will be reset.
Comment 2 Tomas Mraz 2010-05-05 08:01:18 EDT
The problem with pam_tally3 (and pam_tally2 as well) is that it contains races. Multiple simultaneous log-in attempts will cause false lockouts in case the logins would be succesfull otherwise or in other cases the count of failed attempts might be lower than the actual amount. In case of pam_tally3 that means that sometimes the fail time records might be lost. I am also not too fond of adding a separate module for this.

If the races are deemed not to be serious then we might just add a separate file with the fail time records with fixed record length per user as in the current tallylog file.

If we'd like to at least partially solve the problem with races then a format similar to btmp could be used. This of course brings the problem with potentially slowing the logins as the btmp file grows and creates a problem with the need to rotate the file. The rotation would be complicated because during the rotation the old events could be lost.

The third option perhaps the most accurate one would be to use some kind of database (SQLite?) for storing the data. However this is really heavyweight solution.
Comment 3 Tomas Mraz 2010-12-06 06:25:56 EST
We have pam_faillock now in RHEL-6 which solves the problem of tracking last n-attempts per user and also solves the race problem by using different PAM configuration and different storage of the data.

Note You need to log in before you can comment on or make changes to this bug.