search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.2k stars 5.48k forks source link

pam external_auth in 2016.3 causes pam_tally to register failed logins #32455

Closed sjmh closed 8 years ago

sjmh commented 8 years ago

Description of Issue/Question

When using the PAM external_auth in 2016.3-rc2, successful logins via salt will cause invalid logins to be registered by pam_tally2, resulting in the account eventually being locked.

Setup

(Please provide relevant configs and/or SLS files (Be sure to remove sensitive info).)

2016.3 RC2 master with external_auth pam:

external_auth:
  pam:
    shajducko:
      - 'I@role:provserver':
        - test.*

Steps to Reproduce Issue

(Include debug logs if possible and relevant.)

[root@itmlabsaltdev00 ~]# pam_tally2 --user shajducko
Login           Failures Latest failure     From
shajducko           0
[root@itmlabsaltdev00 ~]# su - shajducko
[shajducko@itmlabsaltdev00 ~]$ salt -a pam \*prov\* test.ping
username: shajducko
password:
itmlabprovdev01.corplab.intuit.net:
    True
[shajducko@itmlabsaltdev00 ~]$ logout
[root@itmlabsaltdev00 ~]# pam_tally2 --user shajducko
Login           Failures Latest failure     From
shajducko           1    04/08/16 16:56:08  unknown

Versions Report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
           Salt: 2016.3.0rc2

Dependency Versions:
         Jinja2: 2.2.1
       M2Crypto: 0.20.2
           Mako: Not Installed
         PyYAML: 3.11
          PyZMQ: 14.5.0
         Python: 2.6.6 (r266:84292, Nov 21 2013, 10:50:32)
           RAET: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.5
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 1.4.1
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
        libgit2: Not Installed
        libnacl: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
   python-gnupg: Not Installed
          smmap: Not Installed
        timelib: Not Installed

System Versions:
           dist: redhat 6.5 Santiago
        machine: x86_64
        release: 2.6.32-431.el6.x86_64
         system: Linux
        version: Red Hat Enterprise Linux Server 6.5 Santiago
gtmanfred commented 8 years ago

I am going to take a look at this

gtmanfred commented 8 years ago

This is happening on 2015.8 as well.

gtmanfred commented 8 years ago

Is this the first time you are running into this, or did you have this same problem with previous versions of salt? It looks like we are going to have to investigate this a bit farther.

It looks like our pam eauth implementation only runs the auth portion of the pam services, which is where the failures get tallyed in your pam_tally2 configuration. We need to run the account levels as well to make sure that they will get cleared on a successful login.

sjmh commented 8 years ago

@gtmanfred - Perhaps never noticed it with 2015.8 or may just be with our newer OS baselines that we actually use pam_tally2.

gtmanfred commented 8 years ago

this is going to take a while for us to troubleshoot this I think, because this hasn't been touched in a while.

Would it be possible to setup a separate service file for /etc/pam.d/ call salt and set auth.pam.service: salt that does all the pam.d login stuff without the pam_tally2, until we can figure out how to get the account and session stuff processed in pam?

sjmh commented 8 years ago

@gtmanfred - sure.