headers
Stewart Adam | 5 Mar 2006 07:29
Picon
Favicon

pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

Hello,
I'm completely confused, maybe it's a bug.
http://www.fedoraforum.org/forum/showthread.php?t=97416
I've started a thread there on FedoraForum with more info, but basically 
this is my situation:
- /etc/pam.d/sshd file:
-- start --
#%PAM-1.0
auth       include      system-auth
auth       required     pam_tally.so onerr=fail deny=3
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_tally.so
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
-- end --
- I do have pam enabled in my sshd_config file.
- I only want pam_tally for my ssh server, so that's why it's only in sshd 
and non system authentication.

Here's the problem:
--> I reset my counter just incase
--> I do 5 bad SSH logins, even though my counter is 3 just to make sure
--> I run "pam_tally --user admin" and it shows my 5 bad attempts
--> My system logs show pam_tally is recording my bad attempts
--> If I type the right password it still lets my login
In FC5T3 there's an additional "pam_tally2" module. Should I be using this 
one? I tried using that one with the same options and it still has no effect 
but the same results.
(Continue reading)

Permalink | Reply | 6 comments |
headers
Darren Tucker | 5 Mar 2006 07:51
Picon
Picon

Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

Stewart Adam wrote:
> Hello,
> I'm completely confused, maybe it's a bug.
> http://www.fedoraforum.org/forum/showthread.php?t=97416
> I've started a thread there on FedoraForum with more info, but basically
> this is my situation:
> - /etc/pam.d/sshd file:
> -- start --
> #%PAM-1.0
> auth       include      system-auth
> auth       required     pam_tally.so onerr=fail deny=3

Does /etc/pam.d/system-auth have any "sufficient" modules?  If so, the
authentication succeeds at that point and never gets as far as pam_tally
when your password is right.

Also, if you're used to pam_stack, be aware that in and the "include"
directive have subtly different semantics.

--

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Permalink | Reply | 4 comments |
headers
Stewart Adam | 5 Mar 2006 17:30
Picon
Favicon

Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

/etc/pam.d/systam-auth file:
-- start --
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3
password    sufficient    pam_unix.so md5 nullok try_first_pass use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so
-- end --
Do I have to change them to "Required"? Or would I be able to make it so 
that I tell my system to use pam_tally for everything, but it will only 
block SSH?
Thanks,
Firewing1

>From: Darren Tucker <dtucker <at> zip.com.au>
>Reply-To: Pluggable Authentication Modules <pam-list <at> redhat.com>
>To: Pluggable Authentication Modules <pam-list <at> redhat.com>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Darren Tucker | 6 Mar 2006 05:07
Picon
Picon

Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

On Sun, Mar 05, 2006 at 11:30:57AM -0500, Stewart Adam wrote:
> /etc/pam.d/systam-auth file:
> -- start --
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so

[...]
> Do I have to change them to "Required"?

Just blindly changing "sufficient" to "required" won't do what you
want since the "required pam_deny.so" will mean that you will end up
disallowing all authentications.

> Or would I be able to make it so that I tell my system to use pam_tally
> for everything, but it will only block SSH?

The safest thing to do is probably constructing a sshd PAM config
file that does what you want starting with a copy of system-auth.
Something like this for the auth section ought to work (untested):

auth        required      pam_env.so
auth        required      pam_unix.so nullok try_first_pass
auth        required      pam_tally.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
(Continue reading)

Permalink | Reply | 2 comments |
headers
Tomas Mraz | 6 Mar 2006 10:19
Picon
Favicon

Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

On Sun, 2006-03-05 at 01:29 -0500, Stewart Adam wrote:
> Hello,
> I'm completely confused, maybe it's a bug.
> http://www.fedoraforum.org/forum/showthread.php?t=97416
> I've started a thread there on FedoraForum with more info, but basically 
> this is my situation:
> - /etc/pam.d/sshd file:
> -- start --
> #%PAM-1.0
> auth       include      system-auth
> auth       required     pam_tally.so onerr=fail deny=3
Move pam_tally.so before the include.

> account    required     pam_nologin.so
> account    include      system-auth
> account    required     pam_tally.so
The same thing here.

> password   include      system-auth
> session    include      system-auth
> session    required     pam_loginuid.so
> -- end --
> - I do have pam enabled in my sshd_config file.
> - I only want pam_tally for my ssh server, so that's why it's only in sshd 
> and non system authentication.
> 
> Here's the problem:
> --> I reset my counter just incase
> --> I do 5 bad SSH logins, even though my counter is 3 just to make sure
> --> I run "pam_tally --user admin" and it shows my 5 bad attempts
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stewart Adam | 6 Mar 2006 22:44
Picon
Favicon

Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

Alright... I think we've made progress but still nothing.
-- start /etc/pam.d/sshd --
#%PAM-1.0
auth       include      system-auth
auth       required     pam_tally.so onerr=fail deny=3
auth        required      pam_env.so
auth        required      pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
account    required     pam_nologin.so
account    include      system-auth
account    required     pam_tally.so
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
-- end sshd --

-- start /etc/pam.d/system-auth --
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3
(Continue reading)

Permalink | Reply | 0 comments |
headers
John Ferrell | 6 Mar 2006 19:20
Picon
Favicon

PAM_LDAP verbose logging?


I am trying to configure my Red Hat AS 4.2 box to authenticate users
using LDAP.  More specifically, I only want to verify the user's
password using LDAP, the accounts are local.  As far as I can tell then
system is performing the LDAP bind during the login process; using
tcpflow I can see the LDAP information passed to the server.
Unfortunately, I cannot tell what is really going on.  Even though I
have 'debug' option enabled in the pam config file, the logs do not
show any pam_ldap activity.

Below is a snippet from the sshd pam config with LDAP:
#LDAP
auth       sufficient   pam_ldap.so use_first_pass debug
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required    pam_stack.so service=system-auth
...

Originally, I was getting a LDAP bind error in /var/log/messages.
After fixing ldap.conf and verifying the settings using ldapsearch, I no
longer see the error.  However, I don't see an specific pam_ldap errors
in any of my logs now.

I have done some searching and found a few news group posts with
some sample logs.  It looks like there is a way to enable more verbose
logging:

Dec  8 10:04:43 linux29 login[2063]: pam_ldap: error trying to bind as
user "cn=Linux29,ou=SER,ou=KLK,o=EK" (Invalid credentials)

There is a debug option in ldap.conf, but that just created a log file
with output similar to running ldapsearch with the debugging option.

Hopefully someone can point me to the debugging option so that my logs
are a bit more helpful in troubleshooting this issue.

thanks,
John 
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Stewart Adam | 9 Mar 2006 00:30
Picon
Favicon

Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

/etc/pam.d/system-auth:
#%PAM-1.0
...
auth        sufficient    pam_unix.so nullok try_first_pass
...
account     sufficient    pam_succeed_if.so uid < 500 quiet
...
password    sufficient    pam_unix.so md5 nullok try_first_pass use_authtok
...
These lines are really annoyimg me know. How can I change them so that 
they're no longer "sufficient" but just part of the process? (As in so that 
the auth doesn't stop there and so that pam_tally has an effect)
Firewing1
-----------------------------------------------------------------------------------------
My web site:
http://www.nongnu.org/script-wing

>From: Darren Tucker <dtucker <at> zip.com.au>
>Reply-To: dtucker <at> zip.com.au,Pluggable Authentication Modules 
><pam-list <at> redhat.com>
>To: Pluggable Authentication Modules <pam-list <at> redhat.com>
>Subject: Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 
>0.99
>Date: Mon, 6 Mar 2006 15:07:00 +1100
>
>On Sun, Mar 05, 2006 at 11:30:57AM -0500, Stewart Adam wrote:
> > /etc/pam.d/systam-auth file:
> > -- start --
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        required      pam_deny.so
>
>[...]
> > Do I have to change them to "Required"?
>
>Just blindly changing "sufficient" to "required" won't do what you
>want since the "required pam_deny.so" will mean that you will end up
>disallowing all authentications.
>
> > Or would I be able to make it so that I tell my system to use pam_tally
> > for everything, but it will only block SSH?
>
>The safest thing to do is probably constructing a sshd PAM config
>file that does what you want starting with a copy of system-auth.
>Something like this for the auth section ought to work (untested):
>
>auth        required      pam_env.so
>auth        required      pam_unix.so nullok try_first_pass
>auth        required      pam_tally.so
>auth        requisite     pam_succeed_if.so uid >= 500 quiet
>
>--
>Darren Tucker (dtucker at zip.com.au)
>GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>     Good judgement comes with experience. Unfortunately, the experience
>usually comes from bad judgement.
>
>_______________________________________________
>Pam-list mailing list
>Pam-list <at> redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Thorsten Kukuk | 11 Mar 2006 22:22
Picon

return value of pam_getenvlist mismatch to XSSO


Hi,

The X/Open Single Sign-on Service (XSSO) documentation says about the
return value of pam_getenvlist():

"If no values are set, a NULL pointer is returned."

Linux-PAM does not return a NULL pointer, but a pointer to a NULL
pointer.
OpenPAM, which claims to be conform to this standard also returns
a pointer to a NULL pointer if not values are set.

After reading the manual pages of other OS I think XSSO should be
adjusted, not our pam_getenvlist() implementation.

Does somebody know more about this? Other opinions?

  Thorsten
--

-- 
Thorsten Kukuk         http://www.suse.de/~kukuk/      kukuk <at> suse.de
SUSE LINUX Products GmbH       Maxfeldstr. 5       D-90409 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B
Permalink | Reply | 0 comments |
headers
Jon Nettleton | 21 Mar 2006 01:02
Picon

getting ready to take over pam_keyring

Hello,

This is my first post to the pam list.  I am getting ready to take over
the development of the pam_keyring module from Mike Petullo.  I have
read a lot of the feedback that he got when he first introduced the
module and tried to incorporate a lot of it into this release.  Since
this is my first shot at writing a pam module I would love if you could
take the time to check my code and comment on any glaring mistakes.  I
still have to update the Changelog and requirements sections, but here
is a quick rundown.

Changelog

  * I have updated pam_keyring.so to better match the coding standards
of pam 0.99
      * gnome-keyring-utility is renamed to pam-keyring-utility and
        added to the build process
      * pam-keyring-utility has been updated to better match
        gnome-keyring coding styles
      * pam-keyring-utility now uses the g_option command line parser

Requirements

        gnome-keyring >= 0.4.8
        gnome-session >= 2.10
        pam >= 0.99

You can download the source tarball from here

http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.6.tar.gz

Thanks for taking the time.

Jon
Permalink | Reply | 0 comments |

Gmane