Bug 799346 - pam_tally2 lacks ability to prevent accounts from being locked
pam_tally2 lacks ability to prevent accounts from being locked
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
Blocks: 782183 835616
  Show dependency treegraph
Reported: 2012-03-02 09:44 EST by Terry Bowling
Modified: 2013-05-30 16:44 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-24 10:21:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Terry Bowling 2012-03-02 09:44:34 EST
Description of problem:

With pam_tally2, the faillog command has been deprecated and removed.  However, pam_tally2 and faillock commands lack the ability to PREVENT select accounts from becoming locked after the failed password limit has been reached.

Version-Release number of selected component (if applicable):

faillog command appears to be removed in:
RHEL 6.1, RHEL 5.8, Fedora ?
Errata RHBA-2011:0685-1
BZ 675168

How reproducible:

Add the following lines to the appropriate order in /etc/pam.d/system-auth and /etc/pam.d/login files
	auth        required      pam_tally2.so deny=3 onerr=fail
	account     required      pam_tally2.so

After 3 failed login attempts the local account will be correctly locked.  However, there is no method to prevent select local accounts from being excluded from this rule.

Previously, one could use the faillog -m -1 --user USERNAME to prevent select accounts from becoming locked.  With faillog removed, this functionality is no longer available.
Comment 1 Terry Bowling 2012-03-02 09:48:05 EST
Strategic TAM customer has brought this to our attention as it significantly impacts their Security and Audit processes.

A Google search for (pam_tally2 prevent lockout) will provide multiple links of others running into this issue as well.
Comment 2 Tomas Mraz 2012-03-02 09:57:48 EST
You can at least do it by skipping over the pam_tally2 module for the user with pam_succeed_if.so or pam_listfile.so module - such as:

auth        [success=1 default=ignore] pam_succeed_if.so user in u1:u2:u3
auth        required      pam_tally2.so deny=3 onerr=fail
Comment 3 Terry Bowling 2012-03-02 13:10:10 EST
I have requested the customer to evaluate and test the following options to ensure that it continues to evaluate the pam_ldap requirements as well.

I am not sure it will pass their audit requirements as it is bypassing pam_tally2 and therefore not incrementing failed attempts.  We will see how the customer responds.  Thanks for your feedback.

   1.  add these local accounts to a local group (slm_local_exclusions)
	auth        [success=1 default=ignore] pam_succeed_if.so user ingroup slm_local_exclusions

   2.  add user,host combination to a netgroup (slm_local_exclusions)
	auth        [success=1 default=ignore] pam_succeed_if.so user innetgr slm_local_exclusions

   3.  use a file containing a list of users, one per line:  /etc/pam.d/slm_local_exclusions
	auth        [success=1 default=ignore]  pam_listfile.so item=user sense=allow file=/etc/pam.d/slm_local_exclusions
Comment 7 RHEL Product and Program Management 2012-12-14 01:47:26 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 9 Siddharth Nagar 2013-04-24 10:21:48 EDT
We have a workaround for this. Please re-validate this and re-open if necessary.

Note You need to log in before you can comment on or make changes to this bug.