Pam - locks out users
Hello,
I followed the instructions of the RHEL7 security guide (chapter 4.1.2/Account Locking). Everything was working as expected (users were locked out as expected after 3 failed attempts), until i tried to rename the configuration files with the commands (as stated in the security guide):
~]# mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
~]# mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
So, almost imediatly sudo command was not working and because of the even_deny_root parameter, after the reboot the root account was also locked... (mounting the encrypted volume from a recovery linux dvd and edidting the modified pam files gave me full access again).
After this failed attempt i re-followed the steps of the security guide, but instead of the mv commands I used cp commands:
sudo cp /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
sudo cp /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
And hopefully this time everything was working as expected (even_deny_root parameter was not used as a full lock-out precaution).
In the next reboot I realized that the administrator-user account password was not accepted at the login prompt of the graphical interface, while i was able to log (as root or user) in in any of the ttys (Ctrl+Alt+F2...). Running the command: faillock --user myusername, there where no failed login attempts but only until a failed login in a tty has occured..
(I uploaded the config files and to be able to do so i renamed them to .txt)
I cannot find the root cause of the problem... Any ideas please?
Attachments
Responses
According to the security guide, you need to make 'system-auth' and 'password-auth' a symbolic link to your custom file. By default, these should be symbolic links to 'system-auth-ac' and 'password-auth-ac'.
Try copying 'system-auth-ac' to 'system-auth-local', and make your adjustments to 'system-auth-local'. Then, change the symbolic link 'system-auth' to point to 'system-auth-local'. Do the same with the equivalent files for 'password-auth'.
Re-read section Keeping Custom Settings with authconfig in the security guide.
Guru
6435 points
Oof. No. Never rename those files. If you run authconfig, it should set up appropriate names and symlinks for you. That said, if you've already hand-edited those files, those changes could be lost - so, you might want to run authconfig first, THEN edit ...or see if authconfig's options allow you to set the desired config-items via the tool
It's hard to tell exactly what is going on. I'm fairly certain it appears that the OP is cutting and pasting steps directly from the Security Guide. Those steps actually include renaming system-auth to system-auth-ac (although it seems to me that system-auth is a link to system-auth-ac by default) and then creating a new symlink system-auth to system-auth-local.
There is certainly something not working correctly in the OP's PAM configuration. Things like sudo should reference system-auth, so I would not expect things to break if the steps in the Security Guide are being followed correctly.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.