[CentOS] [SOLVED?] PAM_shield locking me out?

Sat Aug 28 13:12:09 UTC 2010
A. Kirillov <nevis2us at infoline.su>

> > > I've tried that too and it was a good suggestion
> > > as su now crashes only if you enter a wrong password.
> > > I've also tried to rebuild rpmforge srpm with no luck.
> > > Could you really make this thing work? I mean did it
> > > actually block anything after a series of failed logins?
> > 
> > As I said, we use it for various services on all Internet-bound systems. 
> > And yes it works fine. Example: /etc/pam.d/sshd
> > 
> > ------
> > #%PAM-1.0
> > auth       optional     pam_shield.so
> > auth       include      system-auth
> > account    required     pam_nologin.so
> > account    include      system-auth
> > password   include      system-auth
> > session    optional     pam_keyinit.so force revoke
> > session    include      system-auth
> > session    required     pam_loginuid.so
> > ------
> > 
> > You don't want to add this to /etc/pam.d/system-auth simply because it 
> > makes no sense to enable pam_shield for things like su, screen, reboot, 
> > etc... If you understand what pam_shield does (eg. read the 
> > documentation), you'd never want to enable it for all PAM services that 
> > use system-auth. EVER.
> 
> I'm in no way a pam expert, yes.
> So I have to rely on the documentation which comes with the package.
> 
> # cat /usr/share/doc/pam_shield-0.9.3/INSTALL
> ...
> If you want to use pam_shield for all services,
> edit /etc/pam.d/common-auth.
> Add the line
> 
>         auth optional   pam_shield.so
> 
> and that's that.
> ...
> 
> And that's about the only hint on how and where to enable pam_shield.
> I've tried to add this line to /etc/pam.d/sshd too.
> Fortunately it didn't crash anything but it didn't work either.

Here's the story for those interested. With the default of

allow_missing_dns no
allow_missing_reverse no

pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries,
which is a surprise. Should I say a big one? The reason it didn't work
for me was that bind wasn't adding reverse maps for my local hosts
because of screwed up zone file permissions.

On a side note, when testing pam_shield with a recommended
retention period of 60 secs you have to run /etc/cron.daily/pam-shield
manually to release expired locks.

HTH