[sudo-users] Sudo on RHEL6 and pam_tally2

Gonzalez, Aliep aliep.gonzalez at rbc.com
Mon May 2 14:26:54 EDT 2011 

 
Adding the below line in the "account" section of the "system-auth-ac"
RHEL6 GA file (right after the "account     required      pam_unix.so
broken_shadow" line) seems to take care of this issue:
 
account     required      pam_tally2.so 
 
The pam_tally2 counter does not seem to increase anymore when sudo
prompts for a password and the correct one is entered. It also seems to
properly reset the "pam_tally2" counter (regardless of its previous
value) after the correct password is entered when prompted by sudo;
which is more consistent with the behavior I would expect. According to
the pam_tally2 doc this is an 'optional' entry to use for services that
don't call pam_setcred(3) correctly.

From the pam_tally2 documentation:
 
"ACCOUNT OPTIONS
 
    Account phase resets attempts counter if the user is not magic root.
This
    phase can be used optionally for services which don't call
pam_setcred(3)
    correctly or if the reset should be done regardless of the failure
of the
    account phase of other modules." 

Todd, 

Any chances that for some reason sudo is not calling pam_setcred(3)
properly in this case, or do you think this is more of a pam
configuration issue?

Thanks
-A


-----Original Message-----
From: Gonzalez, Aliep 
Sent: 2011, April, 27 9:52 AM
To: 'Todd C. Miller'; sudo-users at sudo.ws
Subject: RE: [sudo-users] Sudo on RHEL6 and pam_tally2


How does your /etc/pam.d/sudo and /etc/pam.d/system-auth-ac look like?

Mine look like this:

[root at ulvuemd6 pam.d]# cat system-auth-ac #%PAM-1.0 # This file is
auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so deny=5
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_access.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     required      pam_mkhomedir.so umask=0022 skel=/etc/skel/
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     sufficient    pam_sss.so
session     required      pam_unix.so
[root at ulvuemd6 pam.d]# cat sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
[root at ulvuemd6 pam.d]# 

Aside from unlocking the account after 1200 seconds, looks to me that
pam_tally.so is doing pretty much the same thing on your system and
mine....


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: 2011, April, 27 9:37 AM
To: Gonzalez, Aliep; sudo-users at sudo.ws
Subject: Re: [sudo-users] Sudo on RHEL6 and pam_tally2

On Wed, 27 Apr 2011 09:20:15 EDT, "Todd C. Miller" wrote:

> Newer versions of sudo wait until the command is complete before 
> closing the PAM session whereas before sudo would close the session 
> and then execute the program.  I suspect it is this change that fixed 
> pam_tally2.

Hmm, actually, I'm not able to reproduce the problem with sudo 1.7.2p2,
either built from source or via the RHEL6 rpm.  The following is using
the RHEL6 rpm with this line in /etc/pam.d/sudo:

auth       required     pam_tally2.so deny=4 even_deny_root
unlock_time=1200

rh6 [~] % sudo -V
Sudo version 1.7.2p2

rh6 [~] % sudo pam_tally2 -u millert
Login           Failures Latest failure     From
millert            10    04/27/11 09:32:47  rh6

rh6 [~] % sudo -k

rh6 [~] % sudo id
[sudo] password for millert: 
Sorry, try again.
[sudo] password for millert: 
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

rh6 [~] % sudo pam_tally2 -u millert
Login           Failures Latest failure     From
millert            11    04/27/11 09:34:05  rh6

rh6 [~] % sudo -k

rh6 [~] % sudo id
[sudo] password for millert: 
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

rh6 [~] % sudo pam_tally2 -u millert
Login           Failures Latest failure     From
millert            11    04/27/11 09:34:05  rh6
_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, 
par retour de courriel ou par un autre moyen.

More information about the sudo-users mailing list