476219 – pam tally needs to track per user failed attempts

Bug 476219 - pam tally needs to track per user failed attempts

Summary: pam tally needs to track per user failed attempts

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-12 15:33 UTC by Steve Grubb
Modified:	2012-03-05 16:32 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-05 16:32:00 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
pam_tally3 time-based account lockout threshold (52.20 KB, patch) 2010-05-04 18:49 UTC, Ed Sealing	no flags	Details \| Diff
View All

Description Steve Grubb 2008-12-12 15:33:00 UTC

Description of problem:
pam_tally2 could not meet requirement AC-7 of the NSS-1253:

"The information system enforces a limit of consecutive invalid access
attempts [Assignment: organization-defined number, or a maximum of 3] by a
user during a [Assignment: organization-defined time period, or at least 15
minutes]. The information system automatically [Selection: locks the
account/node for an [Assignment: organization-defined time period at least
10 minutes], delays next login prompt according to [Assignment: organization
defined delay algorithm] when the maximum number of unsuccessful attempts is
exceeded. This control also applies to remote access logon attempts. "

The problem is that pam_tally2 does not keep track of the time duration that
a user has consecutive failed login attempts.

Comment 1 Ed Sealing 2010-05-04 18:49:01 UTC

Created attachment 411370 [details]
pam_tally3 time-based account lockout threshold

Implements pam_tally3.so module. This a feature addition to pam_tally2 which implements a time-based account lockout threshold. After a specified amount of time, the account counter will be reset.

Comment 2 Tomas Mraz 2010-05-05 12:01:18 UTC

The problem with pam_tally3 (and pam_tally2 as well) is that it contains races. Multiple simultaneous log-in attempts will cause false lockouts in case the logins would be succesfull otherwise or in other cases the count of failed attempts might be lower than the actual amount. In case of pam_tally3 that means that sometimes the fail time records might be lost. I am also not too fond of adding a separate module for this.

If the races are deemed not to be serious then we might just add a separate file with the fail time records with fixed record length per user as in the current tallylog file.

If we'd like to at least partially solve the problem with races then a format similar to btmp could be used. This of course brings the problem with potentially slowing the logins as the btmp file grows and creates a problem with the need to rotate the file. The rotation would be complicated because during the rotation the old events could be lost.

The third option perhaps the most accurate one would be to use some kind of database (SQLite?) for storing the data. However this is really heavyweight solution.

Comment 3 Tomas Mraz 2010-12-06 11:25:56 UTC

We have pam_faillock now in RHEL-6 which solves the problem of tracking last n-attempts per user and also solves the race problem by using different PAM configuration and different storage of the data.

Note You need to log in before you can comment on or make changes to this bug.