FS#67347 - [pambase][pam] pam_faillock options
Attached to Project:
Arch Linux
Opened by loqs (loqs) - Tuesday, 21 July 2020, 15:15 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 30 March 2021, 12:41 GMT
Opened by loqs (loqs) - Tuesday, 21 July 2020, 15:15 GMT
Last edited by Andreas Radke (AndyRTR) - Tuesday, 30 March 2021, 12:41 GMT
|
Details
Description:
pam_faillock.so does not support onerr or file options. It uses dir with default /var/run/faillock containing one file per username. The deny option is not specified and is commented out in /etc/security/faillock.conf so I believe accounts except root will be locked after three failed attempts in 15 minutes with access re-enabled after 10 minutes. Should such a change warrant a news item? etc/security/faillock.conf is not in the backup array of pam Additional info: * pambase 20200721.1-1 * pam 1.4.0-2 |
This task depends upon
* tmpfiles.d snippet to create /run/faillock/
* https://github.com/linux-pam/linux-pam/commit/395915dae1571e10e2766c999974de864655ea3a
* rework /etc/pam.d/system-auth so pam_faillock.so records authentication failures.
Possibly drop its use in the default pamstack?
Edit:
A news item may be warranted by the removal of pam_tally, pam_tally2 and pam_cracklib which if used in a custom pamstack would cause authentication failure, potentially causing a user to be locked out of the system.
1) /etc/pam.d/system-login:
change:
auth required pam_faillock.so onerr=succeed file=/var/log/tallylog
to
auth required pam_faillock.so
2) sddm needs to update it's file:
/etc/pam.d/sddm-autologin
change:
auth required pam_tally.so file=/var/log/faillog onerr=succeed
to
auth required pam_faillock.so
Since the security faillock policy is set in /etc/security/faillock.conf, admins can adjust for local needs there.
So, I can get it to record in system journal but nothing is written to /run/faillock/xx.
man pages for pam_faillock and faillock weren't completely clear to me ... or I need more coffee.
The man page [1] documents much more invasive changes required to the pam stack.
[1] https://linux.die.net/man/8/pam_faillock
d /run/faillock 0755 root root -
[1] https://src.fedoraproject.org/rpms/pam/blob/master/f/pamtmp.conf
I then ssh to a second machine2 - now on this computer, as user2 i did: % ssh user1@machine1.
That generated the failure log recorded something like: sshd[x]: pam_unix(sshd:auth): authentication failure;...
This may be different via local login.
What I am suspecting is that in the current configuration pam_faillock.so is behaving the same as pam_allow.so.
repeat as above - login failure recorded in journal, but now a file is created: /run/faillock/user1
it is an empty file. I was rather expecting something inside the file ... but that's what I get.
My /etc/security/faillock.conf is the default - which has only comments.
Perhaps un-comment the 'audit' item in the conf file?
Edit:
Editing /etc/pam.d/system-login as follows as a test
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
#auth include system-auth
authenticated logins generate an empty /run/faillock/username
failed logins generate a /run/faillock/username with a binary record
the details from the record can be read by faillock
[1] https://github.com/linux-pam/linux-pam/tree/master/modules/pam_faillock
For pambase using the first example in the pam_faillock man page.
Results are now more as I would expect. Still needs much more testing.
Edit:
Moved pam_env.so up to avoid it being skipped.
PKGBUILD.diff.pam (1.9 KiB)
PKGBUILD.diff.pambase (2 KiB)
pam, removed executable bit from tmpfiles config.
PKGBUILD.diff.pam (1.9 KiB)
Sorry for noise.
-- fixed after reboot
I'm getting additional errors in the log when user logs in
(libpam.so.0 exists and is a link to /usr/lib/libpam.so.0.85.1 but seems to be wrong version - 1.3.2 instead of 1.4.0 )
--
PAM unable to dlopen(/usr/lib/security/pam_unix.so): /usr/lib/libpam.so.0: version `LIBPAM_MODUTIL_1.3.2' not foun
d (required by /usr/lib/security/pam_unix.so)
PAM adding faulty module: /usr/lib/security/pam_unix.so
PAM failed: Module is unknown
user@1000.service: Failed to set up PAM session: Operation not permitted
user@1000.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
PKGBUILD.diff.substack (3.7 KiB)
https://github.com/loqs/pam/tree/update
https://github.com/loqs/pambase/tree/update-jump or https://github.com/loqs/pambase/tree/update-substack
I did not use sufficient as that would skip entries e.g. gdm_password has pam_gnome_keyring.so after system-local-login.
[1] https://www.freedesktop.org/software/systemd/man/pam_systemd_home.html
FS#68520)FS#65819remains an issue for pambase.