Bug 799346 - pam_tally2 lacks ability to prevent accounts from being locked
Summary: pam_tally2 lacks ability to prevent accounts from being locked
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam
Version: 6.1
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 782183 835616
TreeView+ depends on / blocked
 
Reported: 2012-03-02 14:44 UTC by Terry Bowling
Modified: 2018-11-29 19:58 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-24 14:21:48 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Terry Bowling 2012-03-02 14:44:34 UTC 
Description of problem:

With pam_tally2, the faillog command has been deprecated and removed.  However, pam_tally2 and faillock commands lack the ability to PREVENT select accounts from becoming locked after the failed password limit has been reached.

Version-Release number of selected component (if applicable):

faillog command appears to be removed in:
RHEL 6.1, RHEL 5.8, Fedora ?
pam-1.1.1-8.el6.src.rpm
Errata RHBA-2011:0685-1
BZ 675168

How reproducible:

Add the following lines to the appropriate order in /etc/pam.d/system-auth and /etc/pam.d/login files
	auth        required      pam_tally2.so deny=3 onerr=fail
	account     required      pam_tally2.so

After 3 failed login attempts the local account will be correctly locked.  However, there is no method to prevent select local accounts from being excluded from this rule.


Previously, one could use the faillog -m -1 --user USERNAME to prevent select accounts from becoming locked.  With faillog removed, this functionality is no longer available.
Comment 1 Terry Bowling 2012-03-02 14:48:05 UTC 
Strategic TAM customer has brought this to our attention as it significantly impacts their Security and Audit processes.

A Google search for (pam_tally2 prevent lockout) will provide multiple links of others running into this issue as well.
Comment 2 Tomas Mraz 2012-03-02 14:57:48 UTC 
You can at least do it by skipping over the pam_tally2 module for the user with pam_succeed_if.so or pam_listfile.so module - such as:

auth        [success=1 default=ignore] pam_succeed_if.so user in u1:u2:u3
auth        required      pam_tally2.so deny=3 onerr=fail
Comment 3 Terry Bowling 2012-03-02 18:10:10 UTC 
I have requested the customer to evaluate and test the following options to ensure that it continues to evaluate the pam_ldap requirements as well.

I am not sure it will pass their audit requirements as it is bypassing pam_tally2 and therefore not incrementing failed attempts.  We will see how the customer responds.  Thanks for your feedback.

   1.  add these local accounts to a local group (slm_local_exclusions)
	auth        [success=1 default=ignore] pam_succeed_if.so user ingroup slm_local_exclusions

   2.  add user,host combination to a netgroup (slm_local_exclusions)
	auth        [success=1 default=ignore] pam_succeed_if.so user innetgr slm_local_exclusions

   3.  use a file containing a list of users, one per line:  /etc/pam.d/slm_local_exclusions
	auth        [success=1 default=ignore]  pam_listfile.so item=user sense=allow file=/etc/pam.d/slm_local_exclusions
Comment 7 RHEL Program Management 2012-12-14 06:47:26 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 9 Siddharth Nagar 2013-04-24 14:21:48 UTC 
We have a workaround for this. Please re-validate this and re-open if necessary.
Note You need to log in before you can comment on or make changes to this bug.