RHEL 5 Why pam_tally have to precede any lines of same module-type with a control flag of sufficient.
Is a real security gap if for RHEL 5 pam_tally do not precede any lines of same module-type with a control flag of sufficient. But I have this configuration in order to protect system users
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally.so
What security violations scenario may allow this?
Thank you
Responses
Guru
6435 points
"sufficient" means that, if the module succeeds, you can get into the system. From the man page:
sufficient
success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of this module is not deemed as fatal to satisfying the application that this type has succeeded. If the module succeeds the PAM framework returns success to the application immediately without trying any other modules.
Basically, if you put a "required" after a "sufficient", if the sufficiency-test passes, the remainder of the stack can be ignored. In your above:
- if someone logs in with a uid lower than 500, the only validity tests they HAVE to pass before successfully authenticating is "pam_unix".
- if someone logs in with a uid of 500 or higher, then pam_permit and pam_tally will also need to succeed.
If you're confident that only users with uids of 500 or higher will try to login, then the configuration you quote probably isn't fatal. But that's a really awful assumption to make with your security system.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.