PAM Module Ordering Question

Latest response

In our enterprise, we settled on using PowerBroker's AD-integration tool, LikeWise. We also need to make use of the STIG-recommended security settings on our systems.

By default, LikeWise's installer seems to key off the final line of the /etc/pam.d/password-auth file's auth-stanza when it injects its call-out to pam_lsass:

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        requisite    pam_lsass.so    smartcard_prompt    try_first_pass
auth        sufficient      pam_lsass.so      try_first_pass
auth        required      pam_deny.so

However, the STIG's specify that you insert pam_faillock just after pam_env, resulting in a configuration of:

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=900
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900
auth        required      pam_faillock.so authsucc deny=3 unlock_time=900 fail_interval=900
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        requisite    pam_lsass.so    smartcard_prompt    try_first_pass
auth        sufficient      pam_lsass.so      try_first_pass
auth        required      pam_deny.so

In our dev environment (where I write our CM automation modules), we pretty much exclusively use key or token-based login-managment (SSH keys, PKI fobs/cards or GSSAPI tokens). So, when I was originally writing our modules, everything appeared to function fine. However, when we moved the stuff to production, the complaints came in that "password logins aren't working for AD users". Ultimately, tracked it down to how, when OpenSSH doesn't receive a recognized token as part of its internal processes, OpenSSH passes off to PAM for further authentication-handling. PAM runs through the defined auth-sstack, hits pam_faillock (which doesn't grok AD-managed users) and exits. Result: even when the AD user gives a valid password, they keep getting prompted, over and over, for their password and can never login (even though SSH key-logins, Kerberos logins and password-based local user logins all still work).

I ended up side-stepping the problem by moving the pam_lsass lines ahead of the faillock lines. However, I'm concerned that, even though this fixes my login problem, it may create other problems I'm (not yet) noticing. I vaguely recall that doing such when using pam_tally and/or pam_tally2 resulted in the fail-counter getting incremented, even when the AD-auth module indicated a success condition.

So, my question is, "is there a better solution than simply moving pam_lsass ahead of pam_faillock?

thomas.jones2@dodiis.mil's picture

Responses