Use of pam_tally With Multiple Authentication Services and Colliding Userids

Latest response

In our environment, we currently leverage both locally-managed userids (e.g., for root and for application service accounts like "oracle") and AD-managed userids (for our interactive users and sysadmin staff). We also use the pam_tally module for each PAM module authenticated through. We use pam_tally to enforce our security requirements to automatically lock accounts after three failures.

Over the years of running this way, we've discovered that pam_tally can become a pain-point if you have collisions between the two authentication name spaces. That is, if userid "jxsmith27" exists in both the "files" authentication-domain and the "winbind" authentication-domain and both entries passwords differ, even on a successful login, pam_tally will increment. This is mostly just inconvenient if no one fat-fingers (tally-counter ends up displaying a misleadingly-high failure count) but highly problematic if you enter the wrong password even once. Mostly, we've avoided this problem by eliminating authentication-domain collisions over the years.

Recently, we were asked to merge some of our operational capabilities with another group. That other group uses an OpenLDAP back-end for their user management. To accommodate that, we'd need to add an LDAP module to our PAM config - and an associated pam_tally reference. While there may not be collisions between the existing "files" and "winbind" name-spaces and the coming "LDAP" name-space, we currently don't have access to their LDAP to be able to know for sure. Short of telling all remotely-authenticated users "you'll need to use fully-qualified userids (e.g., either an NTLM-style or Kerberos-style userid for AD-authenticated users and, presumably, a DN for LDAP-authenticated users) to login to avoid spurious lockouts", is there any way to still leverage pam_tally in a way that it only increments once, even if a userid lookup succeeds multiple times but a password-match fails for all successful userid lookups? That is, if a userid exists in two name-spaces:

  • increment a total of one tally-count if the password-match fails for both name-spaces
  • don't increment the tally-count at all if a password-match succeeds against one (or both) name-spaces
TI

Responses