[Bug 1927796] Re: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix

Tue, 18 May 2021 12:25:41 -0700 

Tested pam_faillock module for pam on bionic.

Test consisted on setting up pam_faillock with the following
configuration, as described in the man page:

/etc/security/faillock.conf file example:
deny=4
unlock_time=1200
silent

/etc/pam.d/config file example:
auth     required       pam_faillock.so preauth
# optionally use requisite above if you do not want to prompt for the password
# on locked accounts
auth     sufficient     pam_unix.so
auth     [default=die]  pam_faillock.so authfail
auth     required       pam_deny.so
account  required       pam_faillock.so
# if you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures
account  required       pam_unix.so

A new user 'joas' was created and its password set. Then, initially, 4
logins were made through ssh and terminal, using the correct password.
All were successful.

User 'joas' was, then, logged out and 4 attempts to login with incorrect
password were made. Since pam_faillock module was set to lock on the 4th
incorrect attempt, another try was done, this time with the correct
password.

After confirming that the 'joas' account was locked, by trying, with the
correct password, additional times, the superuser account was used to
display the account stats ('faillock --user joas') and then used to
unlock the 'joas' account ('faillock --user joas --reset').

Then, again 4 logins were made using the correct password, in order to
check it was successfully authenticating.

Another test consisted on typing the wrong password 3 times, then typing
the correct one, to make sure the PAM module was properly resetting the
counter.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1927796

Title:
  [SRU]pam_tally2 can cause accounts to be locked by correct password.
  pam_faillock use is the recommended fix

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to