New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pam_tally2: account can get locked by correct password, simultaneous logins and busy node #71
Comments
Yes, this is a known issue. Unfortunately pam_tally2 design has this limitation. I'd recommend using pam_faillock instead. |
@t8m, thanks for the suggestion. Do you know where we can find source code for pam_faillock? Why isn't it in this repository (i.e. not part of official Linux PAM)? |
You can find it in source RPMs of Fedora and CentOS PAM packages. The reason is that it was not accepted by other upstream PAM members due to the duplication of functionality with pam_tally and pam_tally2 when I tried to add it here. |
I don't remember pam_faillock being discussed upstream, but I might have forgotten. |
I could not find the discussion in my mail archive. But I remember it happened. Basically Thorsten requested to merge all these modules into a single codebase which I refused to do. There was also a request to add pam_faillock to upstream in the original fedorahosted.org PAM tracker by someone. But that site is long gone. The source is also there: |
@t8m here is the old thread with the request https://lists.fedorahosted.org/archives/list/pam-developers@lists.fedorahosted.org/thread/QIYGRKVWDHZUBQHOXZT67YJMCOEBDMHK/ I wonder if we should try again to submit a PR to have |
I could add it here: https://pagure.io/pam-redhat/tree/master |
@t8m that would be really great to add it at https://pagure.io/pam-redhat/tree/master |
pam_tally2: account can get locked by correct password: Any solution for this ? I Am using Ubuntu Linux : Ubuntu 16.04.6 LTS xenial |
I have only one suggestion, use pam_faillock instead. |
pam_tally2 module was deprecated in 1.4.0 and removed later by commit 709e37b. |
We have pretty busy system and the requirement to lock SSH user after 3 incorrect passwords entered without automatic reset. We configured pam_tally2 for this using following syntax:
However we see that user which provides correct password can get locked when it has simultaneous logins in progress.
To debug things, we created script to do SSH logins simultaneously with given number of threads. With 10 threads, account gets locked without 30 seconds.
Our understanding of this problem is in implementation defect of pam_tally2, in a way it handles login attempts counting. Actually, it does not count failed login attempt, instead it counts login attempts which where not confirmed as successful. It can be illustrated by following steps:
However since our system is pretty busy (with high consumption of CPU and memory resources), there is time delay between step 2 and 3. If there are multiple login attempts between step 2 and 3, counter can grow over "deny" limitation, and further logins will override resets from step 3 leading to account getting locked.
Please comment if this is a known issue or if there is a walk-around.
The text was updated successfully, but these errors were encountered: