Project

General

Profile

Actions

action #101142

closed

[sle][security][sle15sp4][pam][manual]:Provide pam_faillock

Added by rfan1 about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
New test
Target version:
-
Start date:
2021-10-19
Due date:
% Done:

100%

Estimated time:
8.00 h
Difficulty:

Description

https://jira.suse.com/browse/SLE-20695

Based on the jira requests, the new pam package should provide the pam_faillock binary.
we need integrate this into OpenQA


Related issues 2 (0 open2 closed)

Related to openQA Tests (public) - action #96534: [sle][security][sle15sp4][CC] add 'test_pamfaillock_xxx' into audit_test/libpam run list when SLE ship pam_faillockResolvedXiaojing_liu2021-08-04

Actions
Copied to openQA Tests (public) - action #102990: [sle][security][sle15sp4][pam][automation]:Provide pam_faillock Resolvedrfan12021-10-19

Actions
Actions #1

Updated by rfan1 about 3 years ago

  • Related to action #96534: [sle][security][sle15sp4][CC] add 'test_pamfaillock_xxx' into audit_test/libpam run list when SLE ship pam_faillock added
Actions #2

Updated by rfan1 about 3 years ago

  • Subject changed from [sle][security][sle15sp4][pam]:Provide pam_faillock to [sle][security][sle15sp4][pam][manual]:Provide pam_faillock
  • Status changed from New to In Progress
  • % Done changed from 0 to 10

rpm -q pam-1.3.0-6.50.1.x86_64 --changelog |grep faillock

  • Added tmpfiles for pam to set up directory for pam_faillock.
  • Added pam_faillock to the set of modules. [jsc#sle-20638, pam-sle20638-add-pam_faillock.patch]
Actions #3

Updated by rfan1 about 3 years ago

  • Copied to action #102990: [sle][security][sle15sp4][pam][automation]:Provide pam_faillock added
Actions #4

Updated by rfan1 about 3 years ago

Build a local vm to test basic lock and unlock operation. need update auth and password pam configuration file, wip

Actions #5

Updated by rfan1 about 3 years ago

  • Estimated time changed from 4.00 h to 8.00 h
Actions #6

Updated by rfan1 about 3 years ago

Added the following lines to "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" files:

auth required pam_faillock.so preauth deny=3 unlock_time=600
auth required pam_faillock.so authfail deny=3 unlock_time=600
account required pam_faillock.so

susetest:~ # ssh usr@localhost
Password: [badpasswd]
Password:
Password:
bernhard@localhost's password:
Permission denied, please try again.
bernhard@localhost's password:
Permission denied, please try again.
bernhard@localhost's password:

Received disconnect from ::1 port 22:2: Too many authentication failures
Disconnected from ::1 port 22
susetest:~ # ssh usr@localhost
Password: [right passwd]
The account is locked due to 3 failed logins.
(10 minutes left to unlock)
susetest:~ # faillock --user usr --reset

susetest:~ # usr@localhost
Password:
Last failed login: Fri Nov 26 01:37:24 EST 2021 from ::1 on ssh:notty
There were 7 failed login attempts since the last successful login.
Last login: Thu Nov 25 23:43:09 2021 from 10.163.24.122
usr@susetest:~>

Actions #7

Updated by rfan1 about 3 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 100

Manual tests done

Actions

Also available in: Atom PDF