Bug 74254 - root account is never locked out by pam_tally
root account is never locked out by pam_tally
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
even_deny_root_account not recognized...
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-09-18 15:21 EDT by Steve Fox
Modified: 2015-01-07 19:00 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-22 11:14:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Fox 2002-09-18 15:21:42 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809

Description of problem:
The pam_tally docs say that using even_deny_root_account should lock the root
account even the invalid password attempt is greater than the set deny limit.
This parameter shows up as an unknown option in /var/log/messages

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Edit /etc/pam.d/system-auth to include these lines:

auth        required      /lib/security/pam_securetty.so
auth        required      /lib/security/pam_nologin.so
auth        required      /lib/security/pam_shells.so
auth        required      /lib/security/pam_pwdb.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root

account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root

2. Try to log in as root from either a 'su' or from the console 6 or more times
with an invalid password.

3. Try logging in again using the proper password. It works?

Actual Results:  I was able to log in even though the root account should have
been locked out.

Expected Results:  root should not be able to log in.

Additional info:

/var/log/messages shows:

Sep 18 11:06:45 iiosb su(pam_unix)[520]: authentication failure;
logname=drfickle uid=506 euid=0 tty= ruser=drfickle rhost=  user=drfickle
Sep 18 11:06:47 iiosb pam_tally[520]: pam_tally: unknown option;

Comment 1 Kjartan Maraas 2003-04-03 03:50:36 EST
Have you tried the latest pam errata? Does that behave similarly?
Comment 2 Steve Fox 2003-04-22 11:14:05 EDT
It looks like this was a PEBCAK issue. I must have misinterpreted the
documentation. I am now using pam-0.75-46.8.0 and it is working proper.

Here are the relevant sections of /etc/pam.d/system-auth

auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root
account     required      /lib/security/pam_unix.so

I had put even_deny_root_account in the auth section instead of account. Using
the above configuration it works as expected.


Note You need to log in before you can comment on or make changes to this bug.