pam_tally2: account can get locked by correct password, simultaneous logins and busy node

[nikolay-t]

We have pretty busy system and the requirement to lock SSH user after 3 incorrect passwords entered without automatic reset. We configured pam_tally2 for this using following syntax:

/etc/pam.d/common-auth:
auth required pam_tally2.so deny=3

However we see that user which provides correct password can get locked when it has simultaneous logins in progress.
To debug things, we created script to do SSH logins simultaneously with given number of threads. With 10 threads, account gets locked without 30 seconds.
Our understanding of this problem is in implementation defect of pam_tally2, in a way it handles login attempts counting. Actually, it does not count failed login attempt, instead it counts login attempts which where not confirmed as successful. It can be illustrated by following steps:

1. SSH user logs in
2. "pam_tally2" increases internal counter (tally.fail_cnt) on every login in progress (in PAM handler pam_sm_authenticate)
3. "pam_tally2" resets the counter when system gets back to this module and confirms that user is logged successfully (in PAM handler pam_sm_setcred or pam_sm_acct_mgmt)

However since our system is pretty busy (with high consumption of CPU and memory resources), there is time delay between step 2 and 3. If there are multiple login attempts between step 2 and 3, counter can grow over "deny" limitation, and further logins will override resets from step 3 leading to account getting locked.

Please comment if this is a known issue or if there is a walk-around.

[t8m]

Yes, this is a known issue. Unfortunately pam_tally2 design has this limitation. I'd recommend using pam_faillock instead.

[nikolay-t]

@t8m, thanks for the suggestion. Do you know where we can find source code for pam_faillock? Why isn't it in this repository (i.e. not part of official Linux PAM)?

[t8m]

You can find it in source RPMs of Fedora and CentOS PAM packages. The reason is that it was not accepted by other upstream PAM members due to the duplication of functionality with pam_tally and pam_tally2 when I tried to add it here.

[ldv-alt]

I don't remember pam_faillock being discussed upstream, but I might have forgotten.
Could you provide a reference, please?

[t8m]

I could not find the discussion in my mail archive. But I remember it happened. Basically Thorsten requested to merge all these modules into a single codebase which I refused to do. There was also a request to add pam_faillock to upstream in the original fedorahosted.org PAM tracker by someone. But that site is long gone.

The source is also there:
http://people.redhat.com/tmraz/pam_faillock/

[redhatrises]

@t8m here is the old thread with the request https://lists.fedorahosted.org/archives/list/pam-developers@lists.fedorahosted.org/thread/QIYGRKVWDHZUBQHOXZT67YJMCOEBDMHK/

I wonder if we should try again to submit a PR to have pam_faillock added upstream?
If not at the very least, an out-of-tree GitHub repo would be nice to modify the code instead of having to deal with modifying the patches.

[t8m]

I could add it here: https://pagure.io/pam-redhat/tree/master

[redhatrises]

I could add it here: https://pagure.io/pam-redhat/tree/master

@t8m that would be really great to add it at https://pagure.io/pam-redhat/tree/master

[HarishdasWorkz]

pam_tally2: account can get locked by correct password: Any solution for this ?

I Am using Ubuntu Linux : Ubuntu 16.04.6 LTS xenial

[t8m]

I have only one suggestion, use pam_faillock instead.

[ldv-alt]

pam_tally2 module was deprecated in 1.4.0 and removed later by commit 709e37b.
pam_faillock module was added in 1.4.0, consider using it instead of pam_tally2.