[sudo-users] Sudo on RHEL6 and pam_tally2
Gonzalez, Aliep
aliep.gonzalez at rbc.com
Wed Apr 27 09:52:01 EDT 2011
How does your /etc/pam.d/sudo and /etc/pam.d/system-auth-ac look like?
Mine look like this:
[root at ulvuemd6 pam.d]# cat system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_access.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
[root at ulvuemd6 pam.d]# cat sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
[root at ulvuemd6 pam.d]#
Aside from unlocking the account after 1200 seconds, looks to me that
pam_tally.so is doing pretty much the same thing on your system and
mine....
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: 2011, April, 27 9:37 AM
To: Gonzalez, Aliep; sudo-users at sudo.ws
Subject: Re: [sudo-users] Sudo on RHEL6 and pam_tally2
On Wed, 27 Apr 2011 09:20:15 EDT, "Todd C. Miller" wrote:
> Newer versions of sudo wait until the command is complete before
> closing the PAM session whereas before sudo would close the session
> and then execute the program. I suspect it is this change that fixed
> pam_tally2.
Hmm, actually, I'm not able to reproduce the problem with sudo 1.7.2p2,
either built from source or via the RHEL6 rpm. The following is using
the RHEL6 rpm with this line in /etc/pam.d/sudo:
auth required pam_tally2.so deny=4 even_deny_root
unlock_time=1200
rh6 [~] % sudo -V
Sudo version 1.7.2p2
rh6 [~] % sudo pam_tally2 -u millert
Login Failures Latest failure From
millert 10 04/27/11 09:32:47 rh6
rh6 [~] % sudo -k
rh6 [~] % sudo id
[sudo] password for millert:
Sorry, try again.
[sudo] password for millert:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
rh6 [~] % sudo pam_tally2 -u millert
Login Failures Latest failure From
millert 11 04/27/11 09:34:05 rh6
rh6 [~] % sudo -k
rh6 [~] % sudo id
[sudo] password for millert:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
rh6 [~] % sudo pam_tally2 -u millert
Login Failures Latest failure From
millert 11 04/27/11 09:34:05 rh6
_______________________________________________________________________
This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Ce courriel peut contenir des renseignements protégés et confidentiels.
Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement,
par retour de courriel ou par un autre moyen.
More information about the sudo-users
mailing list