Red Hat Bugzilla – Bug 985371
Default configuration file can make machine inaccessible
Last modified: 2013-09-30 22:04:26 EDT
Description of problem:
In the current pam_abl package (0.5.0-2.fc19), the /etc/security/pam_abl.conf file whitelists users danta and chris and hosts 1.1.1.* and 184.108.40.206 (which is probably a wrong default too but not seriously so).
In the previous pam_abl package (0.2.3-11.fc18), there was no whitelist, but the root user was excluded from the default user rule.
As a result, simple upgrade of pam_abl between Fedora 18 and Fedora 19, with pam_abl enabled in the PAM configuration files, will result in a machine that does not have root excluded from user login block. When somebody tries to guess the root account password, the attempt triggers the auto block and thus makes it impossible for legitimate root to log in.
The default configuration file should be innocent enough to prevent this from happening. One possible change is to remove the host whitelist line and specify root (only) in the user whitelist line.
Version-Release number of selected component (if applicable):
Always. Especially when upgrading from Fedora 18 to Fedora 19. In Fedora 18, the default config file was reasonable and therefore did not need changing. Upgrade will silently overwrite the config file with a new one with different (and not reasonable) defaults.
Steps to Reproduce:
1. Install pam_abl.
2. Add pam_abl to PAM configuration.
3. Try logging in as root with wrong password several times.
Root user gets blocked from accessing the machine at all.
Root user should be whitelisted (as it was in past versions of pam_abl).
There seem to be other issues with pam_abl under Fedora 19, the underlying database backend sometimes complains about multiple open databases, but that error is not easily reproducible.
Sorry, I didn't notice that because I don't use a default configuration. I'll build a new package with the old default configuration.
pam_abl-0.6.0-2.fc20 has been submitted as an update for Fedora 20.
pam_abl-0.6.0-2.fc19 has been submitted as an update for Fedora 19.
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_abl-0.6.0-2.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Apparently fixed, the config file now looks reasonable.
Thank you ! Petr
pam_abl-0.6.0-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
pam_abl-0.6.0-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.