[sudo-users] Sudo on RHEL6 and pam_tally2
Gonzalez, Aliep
aliep.gonzalez at rbc.com
Mon May 2 14:26:54 EDT 2011
Adding the below line in the "account" section of the "system-auth-ac"
RHEL6 GA file (right after the "account required pam_unix.so
broken_shadow" line) seems to take care of this issue:
account required pam_tally2.so
The pam_tally2 counter does not seem to increase anymore when sudo
prompts for a password and the correct one is entered. It also seems to
properly reset the "pam_tally2" counter (regardless of its previous
value) after the correct password is entered when prompted by sudo;
which is more consistent with the behavior I would expect. According to
the pam_tally2 doc this is an 'optional' entry to use for services that
don't call pam_setcred(3) correctly.
From the pam_tally2 documentation:
"ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic root.
This
phase can be used optionally for services which don't call
pam_setcred(3)
correctly or if the reset should be done regardless of the failure
of the
account phase of other modules."
Todd,
Any chances that for some reason sudo is not calling pam_setcred(3)
properly in this case, or do you think this is more of a pam
configuration issue?
Thanks
-A
-----Original Message-----
From: Gonzalez, Aliep
Sent: 2011, April, 27 9:52 AM
To: 'Todd C. Miller'; sudo-users at sudo.ws
Subject: RE: [sudo-users] Sudo on RHEL6 and pam_tally2
How does your /etc/pam.d/sudo and /etc/pam.d/system-auth-ac look like?
Mine look like this:
[root at ulvuemd6 pam.d]# cat system-auth-ac #%PAM-1.0 # This file is
auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_access.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
[root at ulvuemd6 pam.d]# cat sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
[root at ulvuemd6 pam.d]#
Aside from unlocking the account after 1200 seconds, looks to me that
pam_tally.so is doing pretty much the same thing on your system and
mine....
-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: 2011, April, 27 9:37 AM
To: Gonzalez, Aliep; sudo-users at sudo.ws
Subject: Re: [sudo-users] Sudo on RHEL6 and pam_tally2
On Wed, 27 Apr 2011 09:20:15 EDT, "Todd C. Miller" wrote:
> Newer versions of sudo wait until the command is complete before
> closing the PAM session whereas before sudo would close the session
> and then execute the program. I suspect it is this change that fixed
> pam_tally2.
Hmm, actually, I'm not able to reproduce the problem with sudo 1.7.2p2,
either built from source or via the RHEL6 rpm. The following is using
the RHEL6 rpm with this line in /etc/pam.d/sudo:
auth required pam_tally2.so deny=4 even_deny_root
unlock_time=1200
rh6 [~] % sudo -V
Sudo version 1.7.2p2
rh6 [~] % sudo pam_tally2 -u millert
Login Failures Latest failure From
millert 10 04/27/11 09:32:47 rh6
rh6 [~] % sudo -k
rh6 [~] % sudo id
[sudo] password for millert:
Sorry, try again.
[sudo] password for millert:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
rh6 [~] % sudo pam_tally2 -u millert
Login Failures Latest failure From
millert 11 04/27/11 09:34:05 rh6
rh6 [~] % sudo -k
rh6 [~] % sudo id
[sudo] password for millert:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
rh6 [~] % sudo pam_tally2 -u millert
Login Failures Latest failure From
millert 11 04/27/11 09:34:05 rh6
_______________________________________________________________________
This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
Ce courriel peut contenir des renseignements protégés et confidentiels.
Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement,
par retour de courriel ou par un autre moyen.
More information about the sudo-users
mailing list