[sudo-users] Sudo on RHEL6 and pam_tally2
Gonzalez, Aliep
aliep.gonzalez at rbc.com
Tue Apr 26 09:55:16 EDT 2011
Environment: sudo 1.7.2p2 on RHEL6
Sudoers rules are in LDAP and system authenticates against LDAP through
sssd
The pam_tally2 counter gets increased every time a sudo operation that
prompts for a password is performed; even though the supplied password
is the correct one:
[root at ulvuemd6 ~]# uname -a
Linux ulvuemd6 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT 2010
x86_64 x86_64 x86_64 GNU/Linux
[root at ulvuemd6 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.0 (Santiago)
[root at ulvuemd6 ~]# pam_tally2 -u qsfshmx
Login Failures Latest failure From
qsfshmx 0
[root at ulvuemd6 ~]# su - qsfshmx
$ sudo -l
[sudo] password for qsfshmx:
Matching Defaults entries for qsfshmx on this host:
always_set_home, env_reset, listpw=always, logfile=/var/log/sudo.log,
logfile=/var/adm/sudo.log, always_set_home
Runas and Command-specific defaults for qsfshmx:
User qsfshmx may run the following commands on this host:
(root) NOPASSWD: ALL, cat /var/log/audit/audit.log, /sbin/aureport,
/sbin/ausearch
(root) NOPASSWD: /usr/bin/cat, /usr/bin/ls, /usr/bin/su -, /bin/su -
$ sudo -l
[sudo] password for qsfshmx:
Matching Defaults entries for qsfshmx on this host:
always_set_home, env_reset, listpw=always, logfile=/var/log/sudo.log,
logfile=/var/adm/sudo.log, always_set_home
Runas and Command-specific defaults for qsfshmx:
User qsfshmx may run the following commands on this host:
(root) NOPASSWD: ALL, cat /var/log/audit/audit.log, /sbin/aureport,
/sbin/ausearch
(root) NOPASSWD: /usr/bin/cat, /usr/bin/ls, /usr/bin/su -, /bin/su -
$ sudo -l
[sudo] password for qsfshmx:
Matching Defaults entries for qsfshmx on this host:
always_set_home, env_reset, listpw=always, logfile=/var/log/sudo.log,
logfile=/var/adm/sudo.log, always_set_home
Runas and Command-specific defaults for qsfshmx:
User qsfshmx may run the following commands on this host:
(root) NOPASSWD: ALL, cat /var/log/audit/audit.log, /sbin/aureport,
/sbin/ausearch
(root) NOPASSWD: /usr/bin/cat, /usr/bin/ls, /usr/bin/su -, /bin/su -
$ exit
[root at ulvuemd6 ~]# pam_tally2 -u qsfshmx
Login Failures Latest failure From
qsfshmx 3 04/25/11 09:22:11 ulvuemd6
You have new mail in /var/spool/mail/root
[root at ulvuemd6 ~]#
Here are the the /etc/pam.d sudo and system-auth-ac files:
[root at ulvuemd6 pam.d]# cat system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_access.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
[root at ulvuemd6 pam.d]# cat sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
[root at ulvuemd6 pam.d]#
I understand the pam_tally2 counter would increase when an incorrect
password is supplied, but why is it increasing when the correct one is
provided?
Thanks,
-A
_______________________________________________________________________
This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement,
par retour de courriel ou par un autre moyen.
More information about the sudo-users
mailing list