Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-8.10
Component/s: pam
Labels:
- Security

Regression:
No
Severity:
None

Pool Team:

sst_idm_sssd
Sub-System Group:

ssg_idm

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Faillock is not considering the exact match (case) of AD user as it is on the AD server . For example if the user "TesT1234" exist on AD then the user can login on the RHEL client with any of the case combinations like Test1234, test1234, TeSt1234. And faillock considers the account as different to lock them as it is accessed.

What is the impact of this issue to you?

May be a security breach, as it gives more chances for login attempt with a AD/domain user even if faillock is configured for 3 denials.

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Reproduced as below:
====================

$ cat /etc/security/faillock.conf | grep -v -e "^#"
deny=2
unlock_time=1200
silent

$ authselect current
Profile ID: sssd
Enabled features:

with-mkhomedir
with-faillock

1] User "TesT1234" exist on AD .

$ id TesT1234
uid=851801186(test1234) gid=851800513(domain users) groups=851800513(domain users)

2] [root@ad-joined-rhel8 ~]# id test1234
uid=851801186(test1234) gid=851800513(domain users) groups=851800513(domain users)

3] Now when i tried to login using the string Test1234 with wrong password and this string for the user is locked:
--------
[root@ad-joined-rhel8 ~]# faillock --user Test1234
Test1234:
When Type Source Valid
2024-09-26 09:18:53 RHOST ::1 V
2024-09-26 09:18:57 RHOST ::1 V

But did not locked TesT1234 or test1234:
[root@ad-joined-rhel8 ~]# faillock --user test1234
test1234:
When Type Source Valid
--------

4] But it can login using any of the other combinations like test1234, TesT1234:
--------
[root@ad-joined-rhel8 ~]# ssh test1234@localhost
test1234@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Thu Sep 26 09:03:35 2024 from ::1
[test1234@ad-joined-rhel8 ~]$

[root@ad-joined-rhel8 ~]# ssh TesT1234@localhost
TesT1234@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last failed login: Thu Sep 26 09:36:13 EDT 2024 from ::1 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Sep 26 09:32:24 2024 from ::1
--------

Expected results

The AD user test1234 should be locked after N login attempts evem if it is access with any case combinations like TesT1234, Test1234 etc.

Actual results

The AD user is able to login with other case(lower/upper) combinations

Assignee:: Iker Pedrosa

Reporter:: Alok Sharma

Developer:: Iker Pedrosa

QA Contact:: Anuj Borah

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/09/27 3:27 PM

Updated:: 2024/09/27 3:36 PM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Expected results

Actual results

Attachments

Activity

People

Dates