I'm currently trying to use pam_faillock to prevent user account password brute-forcing to implement a sort of "sudo rights lockout" function. In essence, if a malicious user gains access to an already logged-in user account with sudo privileges, they should not be able to elevate their privileges to root by brute-forcing the user password locally. The system being configured has numerous commands that can be run as root without a password - these commands are given NOPASSWD exceptions in /etc/sudoers.d. As it turns out, this interacts in a most unfortunate manner - the malicious user attempting to gain root permissions can reset the tally or even unlock the login for that user by using sudo to run any command that has a NOPASSWD exception.
To reproduce:
- In
/etc/sudoers.d, create a file called unlocktest and populate it with the following contents:
user ALL=NOPASSWD: /bin/echo hi
- Configure
pam_faillock to lock your user account out after three consecutive failed authentication attempts.
- Open a new terminal (to avoid sudo password caching), then run
sudo -i. When prompted for your password, enter the wrong password. Repeat this so you have three failed attempts.
- Run
sudo -i again, and enter the right password when prompted. The password will be rejected.
- Run
sudo /bin/echo hi. The string hi will be printed to the terminal.
- Run
sudo -i again, and enter the right password when prompted. The password will be accepted, demonstrating that the account has been unlocked.
- Close the terminal that you just used to do this, then open a new one.
- Run
sudo -i in this terminal, and enter the wrong password once.
- Press Ctrl+C to exit
sudo before typing any further passwords, then run sudo /bin/echo hi.
- Repeat the above two steps a few times (I did six repetitions).
- Run
sudo -i one last time, and enter the right password. The password will be accepted, demonstrating that the faillock tally is being reset.
I'm not entirely sure how to fix this - does sudo communicate to PAM when authentication succeeds because of a NOPASSWD call? If so, it might be possible to make pam_faillock not reset any tallies or lockouts if authentication succeeds because of NOPASSWD.
I'm currently trying to use pam_faillock to prevent user account password brute-forcing to implement a sort of "sudo rights lockout" function. In essence, if a malicious user gains access to an already logged-in user account with sudo privileges, they should not be able to elevate their privileges to root by brute-forcing the user password locally. The system being configured has numerous commands that can be run as root without a password - these commands are given NOPASSWD exceptions in
/etc/sudoers.d. As it turns out, this interacts in a most unfortunate manner - the malicious user attempting to gain root permissions can reset the tally or even unlock the login for that user by usingsudoto run any command that has a NOPASSWD exception.To reproduce:
/etc/sudoers.d, create a file calledunlocktestand populate it with the following contents:pam_faillockto lock your user account out after three consecutive failed authentication attempts.sudo -i. When prompted for your password, enter the wrong password. Repeat this so you have three failed attempts.sudo -iagain, and enter the right password when prompted. The password will be rejected.sudo /bin/echo hi. The stringhiwill be printed to the terminal.sudo -iagain, and enter the right password when prompted. The password will be accepted, demonstrating that the account has been unlocked.sudo -iin this terminal, and enter the wrong password once.sudobefore typing any further passwords, then runsudo /bin/echo hi.sudo -ione last time, and enter the right password. The password will be accepted, demonstrating that the faillock tally is being reset.I'm not entirely sure how to fix this - does sudo communicate to PAM when authentication succeeds because of a NOPASSWD call? If so, it might be possible to make pam_faillock not reset any tallies or lockouts if authentication succeeds because of NOPASSWD.