Bug 74254 - root account is never locked out by pam_tally
Summary: root account is never locked out by pam_tally
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 8.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
URL: even_deny_root_account not recognized...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2002-09-18 19:21 UTC by Steve Fox
Modified: 2015-01-08 00:00 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-22 15:14:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Steve Fox 2002-09-18 19:21:42 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809

Description of problem:
The pam_tally docs say that using even_deny_root_account should lock the root
account even the invalid password attempt is greater than the set deny limit.
This parameter shows up as an unknown option in /var/log/messages

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Edit /etc/pam.d/system-auth to include these lines:

auth        required      /lib/security/pam_securetty.so
auth        required      /lib/security/pam_nologin.so
auth        required      /lib/security/pam_shells.so
auth        required      /lib/security/pam_pwdb.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root

account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root

2. Try to log in as root from either a 'su' or from the console 6 or more times
with an invalid password.

3. Try logging in again using the proper password. It works?

Actual Results:  I was able to log in even though the root account should have
been locked out.

Expected Results:  root should not be able to log in.

Additional info:

/var/log/messages shows:

Sep 18 11:06:45 iiosb su(pam_unix)[520]: authentication failure;
logname=drfickle uid=506 euid=0 tty= ruser=drfickle rhost=  user=drfickle
Sep 18 11:06:47 iiosb pam_tally[520]: pam_tally: unknown option;


Comment 1 Kjartan Maraas 2003-04-03 08:50:36 UTC
Have you tried the latest pam errata? Does that behave similarly?

Comment 2 Steve Fox 2003-04-22 15:14:05 UTC
It looks like this was a PEBCAK issue. I must have misinterpreted the
documentation. I am now using pam-0.75-46.8.0 and it is working proper.

Here are the relevant sections of /etc/pam.d/system-auth

auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root
account     required      /lib/security/pam_unix.so

I had put even_deny_root_account in the auth section instead of account. Using
the above configuration it works as expected.


Note You need to log in before you can comment on or make changes to this bug.