Public bug reported: ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: libpam-modules 1.4.0-11ubuntu1
I just noticed that Ubuntu 22.04 changed from the old pam_tally2 module to the more widespread pam_faillock one. \o/ However, locking (denying logins) does not actually seem to work. According to pam_faillock(8) I changed the config like this: # diff -u /etc/pam.d/common-auth{.orig,} --- /etc/pam.d/common-auth.orig 2022-03-25 10:41:29.088000000 +0000 +++ /etc/pam.d/common-auth 2022-03-25 10:48:48.913419254 +0000 @@ -17,11 +17,11 @@ auth [success=2 default=ignore] pam_unix.so nullok auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds -auth requisite pam_deny.so +auth [default=die] pam_faillock.so authfail # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around -auth required pam_permit.so +auth sufficient pam_faillock.so authsucc # and here are more per-package modules (the "Additional" block) auth optional pam_cap.so # end of pam-auth-update config This config works fine on both Debian 11 and Debian testing, and it agrees with the example in the manpage -- so I don't think it's that broken. Start from a blank slate: # faillock --user admin --reset # faillock --user admin admin: When Type Source Valid Now I log in as user "admin" with a wrong password four times (one more than the default "deny=3", just to make sure): sshd[3841]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.27.0.2 user=admin sshd[3841]: Failed password for admin from 172.27.0.2 port 39446 ssh2 After the third time, I even see this in the journal: sshd[3841]: Failed password for admin from 172.27.0.2 port 39446 ssh2 pam_faillock(sshd:auth): Consecutive login failures for user admin account temporarily locked Failed password for admin from 172.27.0.2 port 39446 ssh2 But if I then log in with the correct password, it succeeds: sshd[4492]: Accepted password for admin from 172.27.0.2 port 39450 ssh2 sshd[4492]: pam_unix(sshd:session): session opened for user admin(uid=1000) by (uid=0) That's buggy -- "admin" should be denied access for ten minutes ("unlock_time = 600" in /etc/security/faillock.conf). It did record the failed logins alright: # faillock --user admin admin: When Type Source Valid 2022-03-25 10:54:02 RHOST 172.27.0.2 V 2022-03-25 10:54:27 RHOST 172.27.0.2 V 2022-03-25 10:54:30 RHOST 172.27.0.2 V But the actual denial doesn't seem to work. ** Affects: pam (Ubuntu) Importance: Undecided Status: New ** Tags: jammy regression-release -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1966416 Title: pam_faillock does not actually deny login after given number of failures To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1966416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs