Bug 985371 - Default configuration file can make machine inaccessible
Default configuration file can make machine inaccessible
Product: Fedora
Classification: Fedora
Component: pam_abl (Show other bugs)
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Eric Smith
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-07-17 07:09 EDT by Petr Tuma
Modified: 2013-09-30 22:04 EDT (History)
3 users (show)

See Also:
Fixed In Version: pam_abl-0.6.0-2.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-30 21:52:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Tuma 2013-07-17 07:09:12 EDT
Description of problem:

In the current pam_abl package (0.5.0-2.fc19), the /etc/security/pam_abl.conf file whitelists users danta and chris and hosts 1.1.1.* and (which is probably a wrong default too but not seriously so).

In the previous pam_abl package (0.2.3-11.fc18), there was no whitelist, but the root user was excluded from the default user rule.

As a result, simple upgrade of pam_abl between Fedora 18 and Fedora 19, with pam_abl enabled in the PAM configuration files, will result in a machine that does not have root excluded from user login block. When somebody tries to guess the root account password, the attempt triggers the auto block and thus makes it impossible for legitimate root to log in.

The default configuration file should be innocent enough to prevent this from happening. One possible change is to remove the host whitelist line and specify root (only) in the user whitelist line.

Version-Release number of selected component (if applicable):

pam_abl 0.5.0-2

How reproducible:

Always. Especially when upgrading from Fedora 18 to Fedora 19. In Fedora 18, the default config file was reasonable and therefore did not need changing. Upgrade will silently overwrite the config file with a new one with different (and not reasonable) defaults.

Steps to Reproduce:
1. Install pam_abl.
2. Add pam_abl to PAM configuration.
3. Try logging in as root with wrong password several times.

Actual results:

Root user gets blocked from accessing the machine at all.

Expected results:

Root user should be whitelisted (as it was in past versions of pam_abl).

Additional info:

There seem to be other issues with pam_abl under Fedora 19, the underlying database backend sometimes complains about multiple open databases, but that error is not easily reproducible.
Comment 1 Eric Smith 2013-07-20 19:22:31 EDT
Sorry, I didn't notice that because I don't use a default configuration.  I'll build a new package with the old default configuration.
Comment 2 Fedora Update System 2013-09-21 12:36:09 EDT
pam_abl-0.6.0-2.fc20 has been submitted as an update for Fedora 20.
Comment 3 Fedora Update System 2013-09-21 12:42:49 EDT
pam_abl-0.6.0-2.fc19 has been submitted as an update for Fedora 19.
Comment 4 Fedora Update System 2013-09-21 15:41:15 EDT
Package pam_abl-0.6.0-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_abl-0.6.0-2.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 5 Petr Tuma 2013-09-22 13:10:42 EDT
Apparently fixed, the config file now looks reasonable.

Thank you ! Petr
Comment 6 Fedora Update System 2013-09-30 21:52:52 EDT
pam_abl-0.6.0-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-09-30 22:04:26 EDT
pam_abl-0.6.0-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.