Successful login does not reset pam.tally2 login failures when pam_sss is configured
This document (000021382) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
Situation
After 3 unsuccessful login attempts, on the 4th attempt using the correct credentials the login succeeds, however, the login failure count is not reset:
The original configuration:
# pam_tally2 Login Failures Latest failure From geeko 3 03/01/24 10:39:35 192.168.70.1
The original configuration:
# /etc/pam.d/common-account account requisite pam_unix.so try_first_pass account sufficient pam_localuser.so account required pam_sss.so use_first_pass account required pam_tally2.so <-----
# /etc/pam.d/sshd
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
session optional pam_keyinit.so force revoke
auth required pam_tally2.so deny=4 unlock_time=60 <-----
# /etc/pam.d/common-account
account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass
account required pam_tally2.so <-----
# /etc/pam.d/sshd
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
session optional pam_keyinit.so force revoke
auth required pam_tally2.so deny=4 unlock_time=60 <-----
Resolution
To resolve this issue, modify the pam configuration:
In /etc/pam.d/common-account, move the...
In /etc/pam.d/common-account, move the...
account required pam_tally2.so
... entry to the second line as follows:
# /etc/pam.d/common-account account requisite pam_unix.so try_first_pass account required pam_tally2.so <----- account sufficient pam_localuser.so account required pam_sss.so use_first_passIn /etc/pam.d/sshd, move the...
auth required pam_tally2.so deny=4 unlock_time=60... entry to the first line as follows:
# /etc/pam.d/sshd auth required pam_tally2.so deny=4 unlock_time=60 <----- auth requisite pam_nologin.so auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_lastlog.so silent noupdate showfailed session optional pam_keyinit.so force revoke auth required pam_tally2.so deny=4 unlock_time=60Now after 3 unsuccessful login attempts, on the 4th attempt using the correct credentials the login succeeds, and the login failure count is now reset:
# pam_tally2 -u geeko Login Failures Latest failure From geeko 0
Cause
Incorrect ordering of the noted pam parameters caused the issue.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021382
- Creation Date: 01-Mar-2024
- Modified Date:01-Mar-2024
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
