PAM and pam_faillock.so

Support for security such as Firewalls and securing linux
Post Reply
rene
Posts: 1
Joined: 2014/12/17 11:47:39

PAM and pam_faillock.so

Post by rene » 2014/12/17 12:19:41

Hi,

I'm new to CentOS (and to this forum) and have a few rather general questions about pam.d and pam_faillock.so and at the same time want to share my experience with enabling the latter.

(I guess that this should go without saying, but use the configuration below at your own risk. Be aware that you could lock yourself out of your own system by manipulating the files mentioned below.)

To begin with, I tried to enable pam_faillock.so on a new CentOS 7 installation according to the RHEL 7 Security Guide (see 4.1.3 Locking User Acounts After Failed Login Attempts), but that particular part of the mentioned manual seems to contain so many errors that I considered writing Red Hat about it (I am aware that CentOS is not RHEL). I'm just looking for another opinion on this ...

It begins with the creation of symbolic links to ensure that running authconfig does not break the configuration of pam_faillock.so. The manual says you should create the following symbolic links ...

Code: Select all

ln -s /etc/pam.d/system-auth /etc/pam.d/system-auth-local
ln -s /etc/pam.d/password-auth /etc/pam.d/password-auth-local
... which obviously should be the other way around (?):

Code: Select all

unlink /etc/pam.d/system-auth && ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
unlink /etc/pam.d/password-auth && ln -s /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Then it says the file system-auth-local should contain the following lines:

Code: Select all

auth     required      pam_faillock.so preauth silent audit deny=3 unlock_time=600 include system-auth-ac
auth     [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600

account  required      pam_faillock.so
account  include       system-auth-ac

password include       system-auth-ac

session  include       system-auth-ac
This contains several errors at once: As I see it, the first line should start "auth requisite" (not required), or you'll get a password prompt despite your account being locked (except, of course, you don't want the user to recognize the account locking). Then it should not contain the option "silent" in case you want to get error messages as demonstrated by the manual. And of course "include system-auth-ac" is no option for pam_faillock.so but has to be a new line. The correct configuration should look like this:

(With the addition of even_deny_root and I shortened the unlock time to one minute, as I basically see this as a way to block potential brute force attacks.)

Code: Select all

auth     requisite     pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60 
auth     include       system-auth-ac
auth     [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60

account  required      pam_faillock.so
account  include       system-auth-ac

password include       system-auth-ac

session  include       system-auth-ac
The same goes for the file password-auth-local (as described in the mentioned manual), with one addition: According to the manual, the last 2 lines include system-auth-ac instead of password-auth-ac. Is this yet another error, or does this make sense due to the way authconfig handles those files in RHEL7 / CentOS7?

(Those sections are actually identical in the default configuration of both files, but I guess that it should include the correct corresponding file nevertheless, meaning password-auth-ac in the case of password-auth-local.)

Three more questions:

Isn't it a security issue that "pam_unix.so nullok" (enable empty passwords) is enabled by default in system-auth and password-auth?

What is the point of "auth requisite pam_succeed_if.so uid >= 1000 quiet_success" (I do understand what this does, but I'm curious why it's needed)?

And doesn't this make the last line "auth required pam_deny.so" redundant?

Best Regards,
rene

Post Reply