-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10.z, rhel-10.1
-
None
-
None
-
Low
-
rhel-idm-zta
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
In order to save me password input time, I put pam_timestamp.so in /etc/pam.d/sshd like the following:
#%PAM-1.0 auth sufficient pam_timestamp.so debug verbose auth substack password-auth auth include postlogin account required pam_sepermit.so account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_timestamp.so debug verbose session optional pam_motd.so session include password-auth session include postlogin
When I login to the server the 2nd time with-in the default timeout 300 seconds, /var/log/secure show the following:
Feb 4 12:11:37 host0 sshd-session[722301]: pam_timestamp(sshd:auth): becoming more verbose Feb 4 12:11:37 host0 sshd-session[722301]: pam_timestamp(sshd:auth): becoming user `alice' Feb 4 12:11:37 host0 sshd-session[722301]: pam_timestamp(sshd:auth): currently user `root' Feb 4 12:11:37 host0 sshd-session[722301]: pam_timestamp(sshd:auth): tty is `ssh' Feb 4 12:11:37 host0 sshd-session[722301]: pam_timestamp(sshd:auth): using timestamp file `/var/run/pam_timestamp/root/ssh:alice' Feb 4 12:11:37 host0 sshd-session[722301]: pam_timestamp(sshd:auth): timestamp file `/var/run/pam_timestamp/root/ssh:alice' is older than oldest login, disallowing access to sshd for user root Feb 4 12:11:43 host0 sshd-session[722293]: Accepted keyboard-interactive/pam for alice from ::1 port 43280 ssh2 Feb 4 12:11:43 host0 (systemd)[722314]: pam_unix(systemd-user:session): session opened for user alice(uid=1000) by alice(uid=0) Feb 4 12:11:44 host0 sshd-session[722293]: pam_unix(sshd:session): session opened for user alice(uid=1000) by alice(uid=0) Feb 4 12:11:44 host0 sshd-session[722293]: pam_timestamp(sshd:session): becoming user `alice' Feb 4 12:11:44 host0 sshd-session[722293]: pam_timestamp(sshd:session): currently user `root' Feb 4 12:11:44 host0 sshd-session[722293]: pam_timestamp(sshd:session): tty is `ssh' Feb 4 12:11:44 host0 sshd-session[722293]: pam_timestamp(sshd:session): using timestamp file `/var/run/pam_timestamp/root/ssh:alice' Feb 4 12:11:44 host0 sshd-session[722293]: pam_timestamp(sshd:session): updated timestamp file `/var/run/pam_timestamp/root/ssh:alice' Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): becoming more verbose Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): becoming user `alice' Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): currently user `root' Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): tty is `ssh' Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): using timestamp file `/var/run/pam_timestamp/root/ssh:alice' Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): timestamp file `/var/run/pam_timestamp/root/ssh:alice' is older than oldest login, disallowing access to sshd for user root Feb 4 12:12:10 host0 sshd-session[722471]: Accepted keyboard-interactive/pam for alice from ::1 port 40046 ssh2 Feb 4 12:12:11 host0 sshd-session[722471]: pam_unix(sshd:session): session opened for user alice(uid=1000) by alice(uid=0)
And I still need to type the password, despite I login 2nd time before the timeout 300 seconds.
What is the impact of this issue to you?
As pam_timestamp failed to work, I have to input password again to login even for a short while.
Please provide the package NVR for which the bug is seen:
pam-1.6.1-8.el10.x86_64
Customer also reproduce the issue with
pam-1.3.1-39.el8_10.x86_64
How reproducible is this bug?:
Always
Steps to reproduce
- Setup /etc/pam.d/sshd as stated in description
- Login 1st time
- Login 2nd time within 300 seconds
Expected results
The 2nd time should allow me login without password.
The secure log item looks like
Feb 4 11:45:33 host0 sshd-session[684785]: pam_timestamp(sshd:auth): using timestamp file `/var/run/pam_timestamp/root/ssh:alice' Feb 4 11:45:33 host0 sshd-session[684785]: pam_timestamp(sshd:auth): timestamp file `/var/run/pam_timestamp/root/ssh:alice' is only 78 seconds old, allowing access to sshd for user root
Actual results
I have to type password the 2nd time. and secure log looks like
Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): using timestamp file `/var/run/pam_timestamp/root/ssh:alice' Feb 4 12:12:03 host0 sshd-session[722479]: pam_timestamp(sshd:auth): timestamp file `/var/run/pam_timestamp/root/ssh:alice' is older than oldest login, disallowing access to sshd for user root
