Yesterday I installed pam_shield and followed the testing suggested and thought all was well. today I find that I cannot get to my email account, I can login via ssh okay (uses keys) but su and sudo give segmentation faults. I am guessing due to the pam module causing a problem. As I cannot do remote login as root and sudo and su use pam I appear to have locked myself out.
I have not encountered this issue. And I have been using it on 32bit and 64bit machines with RHEL4 and RHEL5. I guess it must be related to a configuration issue somewhere. Not good though.
Was this with the 0.9.2 release, or the 0.9.3 release ?
Please provide this information to the author, he might help you find the cause and fix it in pam_shield.
Thanks for reporting,
Update - running 0.9.2 release on both a .386 and a .x86_64 system I think the location of the auth optional pam_shield.so line within the /etc/pam.d/ config files is important?? I had an error on the 64 bit machine thus it was not running - I have now fixed and after looking at the response from S.Tindall I have moved the line to the location as shown in /etc/pam.d/system-auth-ac:
<snip> auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth optional pam_shield.so auth required pam_deny.so <snip> Lets see if this works.
I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins?
As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd
#%PAM-1.0 auth optional pam_shield.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER.
I'm in no way a pam expert, yes. So I have to rely on the documentation which comes with the package.
# cat /usr/share/doc/pam_shield-0.9.3/INSTALL ... If you want to use pam_shield for all services, edit /etc/pam.d/common-auth. Add the line
auth optional pam_shield.so
and that's that. ...
And that's about the only hint on how and where to enable pam_shield. I've tried to add this line to /etc/pam.d/sshd too. Fortunately it didn't crash anything but it didn't work either.
# diff -bB /etc/security/shield.conf.original /etc/security/shield.conf 56c56 < max_conns 10 ---
max_conns 3
67c67 < interval 5m ---
interval 60
72c72 < retention 1w ---
retention 60
The system is 64-bit centos 5.5, fully updated. Switching off selinux didn't help.
So the question remains. Could anybody besides the maintainer make this very version of pam_shield (0.9.3-1.el5.rf.x86_64) work?
Thanks