Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • PAM Module Ordering Question

    Posted on

    In our enterprise, we settled on using PowerBroker's AD-integration tool, LikeWise. We also need to make use of the STIG-recommended security settings on our systems.

    By default, LikeWise's installer seems to key off the final line of the 

    /etc/pam.d/password-auth
    file's auth-stanza when it injects its call-out to 
    pam_lsass
    :

    auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        requisite    pam_lsass.so    smartcard_prompt    try_first_pass
auth        sufficient      pam_lsass.so      try_first_pass
auth        required      pam_deny.so

    However, the STIG's specify that you insert 

    pam_faillock
    just after 
    pam_env
    , resulting in a configuration of:

    auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=900
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900
auth        required      pam_faillock.so authsucc deny=3 unlock_time=900 fail_interval=900
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        requisite    pam_lsass.so    smartcard_prompt    try_first_pass
auth        sufficient      pam_lsass.so      try_first_pass
auth        required      pam_deny.so

    In our dev environment (where I write our CM automation modules), we pretty much exclusively use key or token-based login-managment (SSH keys, PKI fobs/cards or GSSAPI tokens). So, when I was originally writing our modules, everything appeared to function fine. However, when we moved the stuff to production, the complaints came in that "password logins aren't working for AD users". Ultimately, tracked it down to how, when OpenSSH doesn't receive a recognized token as part of its internal processes, OpenSSH passes off to PAM for further authentication-handling. PAM runs through the defined auth-sstack, hits pam_faillock (which doesn't grok AD-managed users) and exits. Result: even when the AD user gives a valid password, they keep getting prompted, over and over, for their password and can never login (even though SSH key-logins, Kerberos logins and password-based local user logins all still work).

    I ended up side-stepping the problem by moving the 

    pam_lsass
    lines ahead of the 
    faillock
    lines. However, I'm concerned that, even though this fixes my login problem, it may create other problems I'm (not yet) noticing. I vaguely recall that doing such when using 
    pam_tally
    and/or 
    pam_tally2
    resulted in the fail-counter getting incremented, even when the AD-auth module indicated a success condition.

    So, my question is, "is there a better solution than simply moving 

    pam_lsass
    ahead of 
    pam_faillock
    ?

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat