[Bug 1966416] [NEW] pam_faillock does not actually deny login after given number of failures
Martin Pitt
1966416 at bugs.launchpad.net
Fri Mar 25 10:57:30 UTC 2022
Public bug reported:
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: libpam-modules 1.4.0-11ubuntu1
I just noticed that Ubuntu 22.04 changed from the old pam_tally2 module
to the more widespread pam_faillock one. \o/
However, locking (denying logins) does not actually seem to work.
According to pam_faillock(8) I changed the config like this:
# diff -u /etc/pam.d/common-auth{.orig,}
--- /etc/pam.d/common-auth.orig 2022-03-25 10:41:29.088000000 +0000
+++ /etc/pam.d/common-auth 2022-03-25 10:48:48.913419254 +0000
@@ -17,11 +17,11 @@
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
-auth requisite pam_deny.so
+auth [default=die] pam_faillock.so authfail
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
-auth required pam_permit.so
+auth sufficient pam_faillock.so authsucc
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
This config works fine on both Debian 11 and Debian testing, and it agrees with the example in the manpage -- so I don't think it's that broken.
Start from a blank slate:
# faillock --user admin --reset
# faillock --user admin
admin:
When Type Source Valid
Now I log in as user "admin" with a wrong password four times (one more
than the default "deny=3", just to make sure):
sshd[3841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.27.0.2 user=admin
sshd[3841]: Failed password for admin from 172.27.0.2 port 39446 ssh2
After the third time, I even see this in the journal:
sshd[3841]: Failed password for admin from 172.27.0.2 port 39446 ssh2
pam_faillock(sshd:auth): Consecutive login failures for user admin account temporarily locked
Failed password for admin from 172.27.0.2 port 39446 ssh2
But if I then log in with the correct password, it succeeds:
sshd[4492]: Accepted password for admin from 172.27.0.2 port 39450 ssh2
sshd[4492]: pam_unix(sshd:session): session opened for user admin(uid=1000) by (uid=0)
That's buggy -- "admin" should be denied access for ten minutes
("unlock_time = 600" in /etc/security/faillock.conf).
It did record the failed logins alright:
# faillock --user admin
admin:
When Type Source Valid
2022-03-25 10:54:02 RHOST 172.27.0.2 V
2022-03-25 10:54:27 RHOST 172.27.0.2 V
2022-03-25 10:54:30 RHOST 172.27.0.2 V
But the actual denial doesn't seem to work.
** Affects: pam (Ubuntu)
Importance: Undecided
Status: New
** Tags: jammy regression-release
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1966416
Title:
pam_faillock does not actually deny login after given number of
failures
Status in pam package in Ubuntu:
New
Bug description:
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: libpam-modules 1.4.0-11ubuntu1
I just noticed that Ubuntu 22.04 changed from the old pam_tally2
module to the more widespread pam_faillock one. \o/
However, locking (denying logins) does not actually seem to work.
According to pam_faillock(8) I changed the config like this:
# diff -u /etc/pam.d/common-auth{.orig,}
--- /etc/pam.d/common-auth.orig 2022-03-25 10:41:29.088000000 +0000
+++ /etc/pam.d/common-auth 2022-03-25 10:48:48.913419254 +0000
@@ -17,11 +17,11 @@
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
-auth requisite pam_deny.so
+auth [default=die] pam_faillock.so authfail
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
-auth required pam_permit.so
+auth sufficient pam_faillock.so authsucc
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
This config works fine on both Debian 11 and Debian testing, and it agrees with the example in the manpage -- so I don't think it's that broken.
Start from a blank slate:
# faillock --user admin --reset
# faillock --user admin
admin:
When Type Source Valid
Now I log in as user "admin" with a wrong password four times (one
more than the default "deny=3", just to make sure):
sshd[3841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.27.0.2 user=admin
sshd[3841]: Failed password for admin from 172.27.0.2 port 39446 ssh2
After the third time, I even see this in the journal:
sshd[3841]: Failed password for admin from 172.27.0.2 port 39446 ssh2
pam_faillock(sshd:auth): Consecutive login failures for user admin account temporarily locked
Failed password for admin from 172.27.0.2 port 39446 ssh2
But if I then log in with the correct password, it succeeds:
sshd[4492]: Accepted password for admin from 172.27.0.2 port 39450 ssh2
sshd[4492]: pam_unix(sshd:session): session opened for user admin(uid=1000) by (uid=0)
That's buggy -- "admin" should be denied access for ten minutes
("unlock_time = 600" in /etc/security/faillock.conf).
It did record the failed logins alright:
# faillock --user admin
admin:
When Type Source Valid
2022-03-25 10:54:02 RHOST 172.27.0.2 V
2022-03-25 10:54:27 RHOST 172.27.0.2 V
2022-03-25 10:54:30 RHOST 172.27.0.2 V
But the actual denial doesn't seem to work.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1966416/+subscriptions
More information about the foundations-bugs
mailing list