Bug 74254 – root account is never locked out by pam_tally

Bug 74254 - root account is never locked out by pam_tally

Summary:	root account is never locked out by pam_tally

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	pam (Show other bugs)
Sub Component:
Version:	8.0
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:	Jay Turner
Docs Contact:

URL:	even_deny_root_account not recognized...
Whiteboard:
Keywords:	Security

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2002-09-18 15:21 EDT by Steve Fox
Modified:	2015-01-07 19:00 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2003-04-22 11:14:05 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Steve Fox 2002-09-18 15:21:42 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020809

Description of problem:
The pam_tally docs say that using even_deny_root_account should lock the root
account even the invalid password attempt is greater than the set deny limit.
This parameter shows up as an unknown option in /var/log/messages

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Edit /etc/pam.d/system-auth to include these lines:

auth        required      /lib/security/pam_securetty.so
auth        required      /lib/security/pam_nologin.so
auth        required      /lib/security/pam_shells.so
auth        required      /lib/security/pam_pwdb.so
auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
even_deny_root_account

account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root

2. Try to log in as root from either a 'su' or from the console 6 or more times
with an invalid password.

3. Try logging in again using the proper password. It works?
	

Actual Results:  I was able to log in even though the root account should have
been locked out.

Expected Results:  root should not be able to log in.

Additional info:

/var/log/messages shows:

Sep 18 11:06:45 iiosb su(pam_unix)[520]: authentication failure;
logname=drfickle uid=506 euid=0 tty= ruser=drfickle rhost=  user=drfickle
Sep 18 11:06:47 iiosb pam_tally[520]: pam_tally: unknown option;
even_deny_root_account

pam-0.75-40

Comment 1 Kjartan Maraas 2003-04-03 03:50:36 EST

Have you tried the latest pam errata? Does that behave similarly?

Comment 2 Steve Fox 2003-04-22 11:14:05 EDT

It looks like this was a PEBCAK issue. I must have misinterpreted the
documentation. I am now using pam-0.75-46.8.0 and it is working proper.

Here are the relevant sections of /etc/pam.d/system-auth

auth        required      /lib/security/pam_tally.so onerr=fail no_magic_root
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so
                                                                               
                                             
account     required      /lib/security/pam_tally.so deny=5 reset no_magic_root
even_deny_root_account
account     required      /lib/security/pam_unix.so

I had put even_deny_root_account in the auth section instead of account. Using
the above configuration it works as expected.

Thanks.

Note You need to log in before you can comment on or make changes to this bug.