Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

problem adding two different pam entries for same module and type #106

Closed
hdeadman opened this issue May 27, 2014 · 6 comments
Closed

problem adding two different pam entries for same module and type #106

hdeadman opened this issue May 27, 2014 · 6 comments
Labels
duplicate This issue or pull request already exists

Comments

@hdeadman
Copy link

In the scap-security-guide package for openscap they have a security recommendation to add the following two lines to /etc/pam.d/system-auth, after the pam_unix.so entry in the auth section:

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

I am able to get one entry or the other but I don't know how to craft a position path that will allow me to add both entries. Below is one of the things I have tried and the entries work individually but one overwrites the other if I use both. I know this is not an issue as much as a plea for help but if this is doable maybe it could make a nice example for the pam provider documentation.

pam { 'Set invalid login 3 times deny in system-auth -fail':
  ensure    => present,
  target    => '/etc/pam.d/system-auth',
  type      => 'auth',
  control   => '[default=die]',
  module    => 'pam_faillock.so',
  arguments => ['authfail','deny=3','unlock_time=604800','fail_interval=900'],
  position  => 'after module pam_unix.so',
}

pam { 'Set invalid login 3 times deny in system-auth - success':
  ensure    => present,
  target    => '/etc/pam.d/system-auth',
  type      => 'auth',
  control   => 'required',
  module    => 'pam_faillock.so',
  arguments => ['authsucc','deny=3','unlock_time=604800','fail_interval=900'],
  position  => "before module pam_succeed.so",
}
@raphink
Copy link
Member

raphink commented Jun 2, 2014

This is a duplicate of #105

@raphink raphink closed this as completed Jun 2, 2014
@hdeadman
Copy link
Author

hdeadman commented Jun 2, 2014

Is this really a duplicate issue? Definitely a different problem although I suppose the fix could apply to both issues.

I tried the latest augeasproviders from git and these two entries overwrite each other even though they have a different key or path in terms of type/control/module. It seems like the unique identifier is being treated as the type/module and the control value is ignored?

@raphink
Copy link
Member

raphink commented Jun 2, 2014

Sorry, my bad, it is a duplicate of #101, not #105.

@hdeadman
Copy link
Author

hdeadman commented Jun 3, 2014

I know this was marked a duplicate of a now closed issue, so let me know if I should open a new issue. I tried out the latest augeasproviders (from Git earlier today as downloaded by puppet-librarian) and I am still seeing only one of the two entries I am trying to add with the pam provider using the following config. Is it possible the pam provider just doesn't let you have two entries with the same type and module (but a different control)?

pam { 'Set invalid login 3 times deny in password-auth -fail':
  ensure    => present,
  service   => 'password-auth',
  type      => 'auth',
  control   => '[default=die]',
  module    => 'pam_faillock.so',
  arguments => ['authfail','deny=3','unlock_time=604800','fail_interval=900'],
  position  => 'after *[type="auth" and module="pam_unix.so"]',
}

pam { 'Set invalid login 3 times deny in password-auth -success':
  ensure    => present,
  service   => 'password-auth',
  type      => 'auth',
  control   => 'required',
  module    => 'pam_faillock.so',
  arguments => ['authsucc','deny=3','unlock_time=604800','fail_interval=900'],
  position  => 'before *[type="auth" and module="pam_succeed_if.so"]',
}

I am getting one of the two entries like the following and it is at the end of the password-auth file.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth    [default=die]   pam_faillock.so authfail        deny=3  unlock_time=604800      fail_interval=900
auth    requisite       pam_succeed_if.so       uid     >=      500     quiet
auth    required        pam_tally.so    deny=3
auth        required     pam_deny.so

If I comment out the first puppet "pam" and run again then it shows the other entry (see below). At one point I had the position attribute on the entry that wasn't showing up referencing a module/type combination that didn't exist so the entry was going to the end of the password-auth file and was being overwritten there by the entry that was actually showing up.

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth    required        pam_faillock.so authsucc        deny=3  unlock_time=604800   fail_interval=900
auth    requisite       pam_succeed_if.so       uid     >=      500     quiet
auth    required        pam_tally.so    deny=3
auth        required     pam_deny.so

@raphink
Copy link
Member

raphink commented Jun 4, 2014

Indeed, control is a property, not a parameter, so it is meant to converge for a given combination of service and type. If you think this is a bug, please open a new ticket to request control to be used as a parameter instead.

@raphink
Copy link
Member

raphink commented Jun 4, 2014

Issue #114 deals with this now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raphink @hdeadman