[CentOS] [SOLVED?] PAM_shield locking me out?
dag at wieers.com
Wed Sep 1 11:01:20 EDT 2010
On Sat, 28 Aug 2010, A. Kirillov wrote:
>> And that's about the only hint on how and where to enable pam_shield.
>> I've tried to add this line to /etc/pam.d/sshd too.
>> Fortunately it didn't crash anything but it didn't work either.
> Here's the story for those interested. With the default of
> allow_missing_dns no
> allow_missing_reverse no
> pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries,
> which is a surprise. Should I say a big one? The reason it didn't work
> for me was that bind wasn't adding reverse maps for my local hosts
> because of screwed up zone file permissions.
> On a side note, when testing pam_shield with a recommended
> retention period of 60 secs you have to run /etc/cron.daily/pam-shield
> manually to release expired locks.
Welcome to the wonderful world of Open Source !
If you want to make a difference here, please talk to the upstream
developers, rather than to this list.
Now, since I use pam_shield myself I have reported both problems (segfault
of su and login when configuring in /etc/pam.d/system-auth, and the
above). I haven't tested both, so any feedback or testcase to replicate
the problem are welcomed by the upstream developers (does not include me).
We also discussed some other improvements:
- using AUTHPRIV intead of AUTH for logging
- including shield-trigger-iptables
- Fixes to Makefile
- Including manual pages
- Fixes to INSTALL
- Both registered bugs
-- dag wieers, dag at wieers.com, http://dag.wieers.com/ --
[Any errors in spelling, tact or fact are transmission errors]
More information about the CentOS