Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26161

PAM stack is not working as expected in RHEL 8.

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • rhel-8.8.0
    • pam
    • None
    • Moderate
    • rhel-sst-idm-sssd
    • ssg_idm
    • 0
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      Getting single password prompt for invalid user with the below sequence  in /etc/pam.d/password-auth

       

      auth        required      pam_sss.so
      auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list

       

      Which can lead attacker to identify that its a invalid user.

       

      It works as expected with the below sequence: 

      auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list

      auth        required      pam_sss.so

      Please provide the package NVR for which bug is seen:

      Behaviour is observed irrespective of the pam & sssd versions

      How reproducible:

       

      • Invalid user is getting single prompt for password with the below  sequence:

      auth        required      pam_env.so
      auth        required      pam_faildelay.so delay=2000000
      auth        [default=4 success=ignore] pam_localuser.so
      auth        required      pam_faillock.so preauth deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
      auth        [success=1 default=bad] pam_unix.so try_first_pass
      auth        [default=die] pam_faillock.so authfail deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
      auth        sufficient    pam_faillock.so authsucc deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900
      auth        required      pam_sss.so
      auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list
      auth        sufficient    pam_succeed_if.so uid >= 200 quiet
      auth        required      pam_deny.so

       

      - Invalid user prompts for 3 times with the below sequence as expected:

      auth        required      pam_env.so
      auth        required      pam_faildelay.so delay=2000000
      auth        [default=4 success=ignore] pam_localuser.so
      auth        required      pam_faillock.so preauth deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
      auth        [success=1 default=bad] pam_unix.so try_first_pass
      auth        [default=die] pam_faillock.so authfail deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent
      auth        sufficient    pam_faillock.so authsucc deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900
      auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list
      auth        required      pam_sss.so
      auth        sufficient    pam_succeed_if.so uid >= 200 quiet
      auth        required      pam_deny.so

       

       

      Steps to reproduce

      1.  
      2.  
      3.  

      Expected results

       

      Invalid user should give 3 time password prompt.

      As its giving 3 times password prompt in RHEL 7 for both the cases irrespective of sequence.

      NOTE: Its works as expected with the default RHEL 8 config irrespective of sequence.

       

      auth        required                                     pam_env.so
      auth        required                                     pam_faildelay.so delay=2000000
      auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
      auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
      auth        sufficient                                   pam_unix.so nullok
      auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
      auth        required      pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list
      auth        sufficient                                   pam_sss.so forward_pass
      auth        required                                     pam_deny.so

       

       

       

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-dshaikh Danish Shaikh
              Danish Shaikh
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: