Bug 74254 - root account is never locked out by pam_tally
Summary: root account is never locked out by pam_tally
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam   
(Show other bugs)
Version: 8.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
URL: even_deny_root_account not recognized...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-09-18 19:21 UTC by Steve Fox
Modified: 2015-01-08 00:00 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-22 15:14:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Steve Fox 2002-09-18 19:21:42 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809

Description of problem:
The pam_tally docs say that using even_deny_root_account should lock the root
account even the invalid password attempt is greater than the set deny limit.
This parameter shows up as an unknown option in /var/log/messages

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Edit /etc/pam.d/system-auth to include these lines:

auth        required      /lib/security/pam_securetty.so
auth        required      /lib/security/pam_nologin.so
auth        required      /lib/security/pam_shells.so
auth        required      /lib/security/pam_pwdb.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
even_deny_root_account

account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root

2. Try to log in as root from either a 'su' or from the console 6 or more times
with an invalid password.

3. Try logging in again using the proper password. It works?
	

Actual Results:  I was able to log in even though the root account should have
been locked out.

Expected Results:  root should not be able to log in.

Additional info:

/var/log/messages shows:

Sep 18 11:06:45 iiosb su(pam_unix)[520]: authentication failure;
logname=drfickle uid=506 euid=0 tty= ruser=drfickle rhost=  user=drfickle
Sep 18 11:06:47 iiosb pam_tally[520]: pam_tally: unknown option;
even_deny_root_account

pam-0.75-40
Comment 1 Kjartan Maraas 2003-04-03 08:50:36 UTC 
Have you tried the latest pam errata? Does that behave similarly?
Comment 2 Steve Fox 2003-04-22 15:14:05 UTC 
It looks like this was a PEBCAK issue. I must have misinterpreted the
documentation. I am now using pam-0.75-46.8.0 and it is working proper.

Here are the relevant sections of /etc/pam.d/system-auth

auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
                                                                               
                                             
account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root
even_deny_root_account
account     required      /lib/security/pam_unix.so

I had put even_deny_root_account in the auth section instead of account. Using
the above configuration it works as expected.

Thanks.
Note You need to log in before you can comment on or make changes to this bug.