starred/hardening

Fork 0

mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-27 01:35:55 +03:00

[GH-ISSUE #140] [BUG] Pam_tally config not working #58

New issue

Closed

opened 2026-03-03 13:58:48 +03:00 by kerem · 8 comments

kerem commented

2026-03-03 13:58:48 +03:00

Owner

Originally created by @llouxi on GitHub (Jun 20, 2022).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/140

Originally assigned to: @konstruktoid on GitHub.

Describe the bug
Pam_tally2 counters are not automatically reset after unlock_time.
Accounts must be unlocked manually from cli.

To Reproduce
Try to login more than 5 times using a bad password, wait for unlock time and try logging in with the correct password.
The login will fail as pam_tally2 counter is not automatically reset by current config.

Expected behavior
Pam_tally2 counters should reset to 0 after unlock_time.

The following config in script password seems to work:
if ! grep tally2 "$COMMONACCOUNT"; then sed -i '/^$/a account required pam_tally2.so' "$COMMONACCOUNT" fi

System (lsb_release -a):
Tested on Ubuntu 18.04.4 LTS and Ubuntu 20.04.4 LTS

Additional context
Reference used for troubleshooting: https://unix.stackexchange.com/questions/560196/why-does-this-pam-code-prevent-all-logins-to-a-debian-system

Originally created by @llouxi on GitHub (Jun 20, 2022). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/140 Originally assigned to: @konstruktoid on GitHub. **Describe the bug** Pam_tally2 counters are not automatically reset after unlock_time. Accounts must be unlocked manually from cli. **To Reproduce** Try to login more than 5 times using a bad password, wait for unlock time and try logging in with the correct password. The login will fail as pam_tally2 counter is not automatically reset by current config. **Expected behavior** Pam_tally2 counters should reset to 0 after unlock_time. The following config in script password seems to work: `if ! grep tally2 "$COMMONACCOUNT"; then sed -i '/^$/a account required pam_tally2.so' "$COMMONACCOUNT" fi` **System (lsb_release -a):** Tested on Ubuntu 18.04.4 LTS and Ubuntu 20.04.4 LTS **Additional context** Reference used for troubleshooting: [https://unix.stackexchange.com/questions/560196/why-does-this-pam-code-prevent-all-logins-to-a-debian-system](url)

kerem closed this issue

2026-03-03 13:58:48 +03:00

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 20, 2022):

Hi @llouxi and thanks for opening this issue, I'll have a look at it as soon as possible.

@konstruktoid commented on GitHub (Jun 20, 2022): Hi @llouxi and thanks for opening this issue, I'll have a look at it as soon as possible.

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 20, 2022):

When installing on Ubuntu 20.04.4, isn't faillock used instead?

@konstruktoid commented on GitHub (Jun 20, 2022): When installing on Ubuntu 20.04.4, isn't `faillock` used instead?

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@llouxi commented on GitHub (Jun 21, 2022):

Tested again on a fresh install, faillock is used on ubuntu 20.04.4 but common-auth is not configured properly so configuration seems partial for faillock.

Current issue is however valid on systems without faillock.

@llouxi commented on GitHub (Jun 21, 2022): Tested again on a fresh install, `faillock` is used on ubuntu 20.04.4 but common-auth is not configured properly so configuration seems partial for faillock. Current issue is however valid on systems without faillock.

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 21, 2022):

Will focus on faillock since pam_tally2 is deprecated with 20.04.

@konstruktoid commented on GitHub (Jun 21, 2022): Will focus on `faillock` since `pam_tally2` is deprecated with `20.04`.

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 21, 2022):

$ grep -v '^#' /etc/pam.d/common-account 
account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	requisite			pam_deny.so
account	required			pam_permit.so
account required pam_faillock.so

grep -v '^#' /etc/pam.d/common-auth 
auth    required pam_faillock.so preauth
auth    [success=1 default=ignore]      pam_unix.so
auth    [default=die] pam_faillock.so authfail
auth    sufficient pam_faillock.so authsucc
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so

@konstruktoid commented on GitHub (Jun 21, 2022): ```sh $ grep -v '^#' /etc/pam.d/common-account account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.so account required pam_faillock.so ``` ```sh grep -v '^#' /etc/pam.d/common-auth auth required pam_faillock.so preauth auth [success=1 default=ignore] pam_unix.so auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so ```

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 21, 2022):

@llouxi, could you please test https://github.com/konstruktoid/hardening/pull/145?

@konstruktoid commented on GitHub (Jun 21, 2022): @llouxi, could you please test https://github.com/konstruktoid/hardening/pull/145?

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@llouxi commented on GitHub (Jun 22, 2022):

thanks for the quick fix, tested and all good now

@llouxi commented on GitHub (Jun 22, 2022): thanks for the quick fix, tested and all good now

kerem commented

2026-03-03 13:58:49 +03:00

Author

Owner

@konstruktoid commented on GitHub (Jun 22, 2022):