Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161573 - When pam_tally is used, a valid authentication through sudo still generates a failed login for faillog
Summary: When pam_tally is used, a valid authentication through sudo still generates a...
Keywords:
Status: CLOSED DUPLICATE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sudo
Version: 4.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-24 15:34 UTC by Shawn M. Jones
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-12 09:21:08 UTC


Attachments (Terms of Use)

Description Shawn M. Jones 2005-06-24 15:34:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050523 CentOS/1.0.4-1.4.1.centos4 Firefox/1.0.4

Description of problem:
When the following lines are placed at the beginning of /etc/pam.d/system-auth:
auth        required      /lib/security/$ISA/pam_tally.so no_magic_root
account     required      /lib/security/$ISA/pam_tally.so no_magic_root deny=3

any valid password exchange via sudo still generates a failed login message in /var/log/messages

Jun 24 11:13:49 ids-atf sudo(pam_unix)[14651]: authentication failure; logname=smjones uid=0 euid=0 tty=pts/0 ruser= rhost=  user=smjones

And faillog generates the following output:
Username   Failures  Maximum  Latest
smjones           1        0  Fri Jun 24 11:13:46 -0400 2005 on pts/0

The command issued to sudo DOES execute successfully.

All of this occurs only when the user is asked to type their password for sudo.  Subsequent uses of sudo do not generate more authentication failures until the password information times out.

Version-Release number of selected component (if applicable):
sudo-1.6.7p5-30.1

How reproducible:
Always

Steps to Reproduce:
1.  Place the lines
auth        required      /lib/security/$ISA/pam_tally.so no_magic_root
account     required      /lib/security/$ISA/pam_tally.so no_magic_root deny=3

at the top of /etc/pam.d/system-auth

2.  Create the file /var/log/faillog.

3.  Logged in as a user that is configured in /etc/sudoers to use commands via sudo, execute a command like so:
# sudo ls

4.  Type in your valid password and watch the command successfully execute.

5.  Check /var/log/messages and note an entry like the following:

Jun 24 11:13:49 ids-atf sudo(pam_unix)[14651]: authentication failure; logname=smjones uid=0 euid=0 tty=pts/0 ruser= rhost=  user=smjones

6.  Run the faillog command and note output like the following:

Username   Failures  Maximum  Latest
smjones           1        0  Fri Jun 24 11:13:46 -0400 2005 on pts/0

7.  If the end user executes enough commands validly with sudo, pam_tally will prevent them from logging in.

Actual Results:  An authentication failure is logged by either pam or sudo when sudo successfully and correctly authenticates the user.  Enough uses of sudo will make pam_tally effectively lock the account out until the faillog is cleared.

After authenticating via sudo, /var/log/messages contains a message liek the following:

Jun 24 11:13:49 ids-atf sudo(pam_unix)[14651]: authentication failure; logname=smjones uid=0 euid=0 tty=pts/0 ruser= rhost=  user=smjones

Also, the faillog command generates output like the following:

Username   Failures  Maximum  Latest
smjones           1        0  Fri Jun 24 11:13:46 -0400 2005 on pts/0

Expected Results:  A successful and correct authentication via sudo should not generate an authentication failure via pam.  The user should not be put into the faillog.

Additional info:

Comment 1 Shawn M. Jones 2005-06-24 15:36:05 UTC
Oh, also, pam's version is as follows:
pam-0.77-66.5

Comment 2 Karel Zak 2005-07-12 09:21:08 UTC

*** This bug has been marked as a duplicate of 144893 ***


Note You need to log in before you can comment on or make changes to this bug.