authconfig

#6 Add support of pam_faillock
Merged by tmraz. Opened by pbrezina.
pbrezina/authconfig faillock  into  master

This patch adds support for pam_faillock module into authconfig.

Three new options are implemented:
1. --enablefaillock (disabled by default)
2. --disablefaillock
3. --faillockargs (deny=4 unlock_time=1200 is the default)

The resulting stack inspired in the second example of pam_faillock manual page:

auth        required      pam_env.so
auth        required      pam_faillock.so deny=4 unlock_time=1200
...

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow
...

There might be some issues. I'm aware of two bugs that I was unable to solve:

  1. USEFAILLOCK is not set in /etc/sysconfig/authconfig, however, the second option FAILLOCKARGS is set.
  2. After running authconfig --enablefaillock --faillockargs="" --update (empty arguments), any successive call of authconfig --enablefaillock --update (no arg option specified) doesn't use the default value for arguments. It use an empty value instead.

Unfortunately this is wrong and it is not according to the pam_faillock manual page.

For the minimal configuration the 

auth        required      pam_faillock.so deny=4 unlock_time=1200

must be placed after the "sufficient" modules (pam_unix, pam_sss) which end the stack processing on success. And there always must be the authfail option at this line, i.e.

auth    required  pam_faillock.so authfail deny=4 unlock_time=1200

The authfail argument should not be part of the faillockargs as it is required for the module to function properly.
Edited by tmraz

enable account locking in case of too many consecutive authentication failures

disable account locking on too many consecutive authentication failures

the pam_faillock module options

Either keep the 8 spaces per tab or simply use tab here.

Again either use tabs or use 8 spaces per tab. And do not change indentation on lines that do not need to be touched.

The placement of the module in the stack is wrong as I commented on the pull request.

Do not touch unrelated lines.

again

again

You need to handle the authfail argument here. (i.e. remove it from faillockArgs).

You need to add 'and stack == "auth"'

You need to add authfail argument here.

I see. Do you want the resulting stack look like:

auth        required      pam_env.so
auth        required      pam_faillock.so preauth deny=4 unlock_time=1200
...
auth        required      pam_faillock.so authfail deny=4 unlock_time=1200
...

account     required      pam_faillock.so
account     required      pam_unix.so broken_shadow

Or do you want me to remove the first pam_faillock line completely?

I would remove the first line. It is needed only for reporting the locking to the user and that is even unwanted in most deployments.
Edited by tmraz

rebased

Patch updated.

Please move this if to line 2152 - inside the if stack == "auth".

Also this will gradually make the faillockArgs contain more and more spaces on the beginning, because you do not remove it. It is just a cosmetic issue, but please handle it.

Please fix the two minor issues I've commented about in the code and I'll merge it.

Patch updated.

rebased

Pull-Request has been merged by tmraz
Metadata
None
No Tags
Changes Summary 2
+11 -2
file changed
authconfig.py
+40 -0
file changed
authinfo.py
Powered by Pagure 1.0.0
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.