Re: PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote: 
> Hi Tomas,
> 
> Thanks for your response.
> 
> On Jun 06, 2013, at 09:28 AM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:
> 
> This is not correct, the third pam_faillock line would never be called
> as the second line will always fail. So you can remove it.
>  
> I see what you're saying, is this because [default=die] causes all
> return codes to act as though an error happened?  But why does the
As though an error happened 

> pam_faillock man page say to place the lines in this way?  Even more
> important why can I login successfully with that configuration?
> Shouldn't I fail to login all the time?

Nope, because the 'sufficient' pam_unix and pam_sss modules will just
terminate the PAM stack execution with success when the user gives
correct password. Please study the pam.conf manual page.

> I was under the impression that one of the lines has a success type
> function and the other one has a failure type function.
The success function of the module should be called if the module that
does the password verification succeeds (how to do can be seen in the
first example in the pam_faillock manpage). However this makes the
configuration more complicated if you have multiple such modules as in
your case.

> And just add
> account required pam_faillock.so
> line to the beginning of account section. Otherwise the fail count will
> never be reset on successful authentication.
>  
> I have removed the 3rd line, and I have placed the account line at the
> beginning of the account section.  For some reason now, faillock does
> not increment new failures for my users.  Any ideas?
I'd have to see your current PAM config to tell. Also you need to
examine the failures before you login successfully with that user -
because the account required pam_faillock.so will reset the failures
once the user successfully authenticates.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux