[CentOS] PAM_shield locking me out?

Fri Aug 27 10:13:15 UTC 2010
Dag Wieers <dag at wieers.com>

On Fri, 27 Aug 2010, A. Kirillov wrote:

>>>> Yesterday I installed pam_shield and followed the testing suggested and
>>>> thought all was well.
>>>> today I find that I cannot get to my email account, I can login via ssh okay
>>>> (uses keys) but su and sudo give
>>>> segmentation faults. I am guessing due to the pam module causing a problem.
>>>> As I cannot do remote login as root and sudo and su use pam I appear to have
>>>> locked myself out.
>>>
>>> I have not encountered this issue. And I have been using it on 32bit and
>>> 64bit machines with RHEL4 and RHEL5. I guess it must be related to a
>>> configuration issue somewhere. Not good though.
>>>
>>> Was this with the 0.9.2 release, or the 0.9.3 release ?
>>>
>>> Please provide this information to the author, he might help you find the
>>> cause and fix it in pam_shield.
>>>
>>> Thanks for reporting,
>>
>> Update - running 0.9.2 release on both a .386 and a .x86_64 system
>> I think the location of the
>> auth   optional    pam_shield.so
>> line within the /etc/pam.d/ config files is important??
>> I had an error on the 64 bit machine thus it was not running - I have
>> now fixed and after looking at the response from S.Tindall I have moved
>> the line to the location as shown in /etc/pam.d/system-auth-ac:
>> <snip>
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_krb5.so use_first_pass
>> auth        optional      pam_shield.so
>> auth        required      pam_deny.so
>> <snip>
>> Lets see if this works.
>
> I've tried that too and it was a good suggestion
> as su now crashes only if you enter a wrong password.
> I've also tried to rebuild rpmforge srpm with no luck.
> Could you really make this thing work? I mean did it
> actually block anything after a series of failed logins?

As I said, we use it for various services on all Internet-bound systems. 
And yes it works fine. Example: /etc/pam.d/sshd

------
#%PAM-1.0
auth       optional     pam_shield.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
------

You don't want to add this to /etc/pam.d/system-auth simply because it 
makes no sense to enable pam_shield for things like su, screen, reboot, 
etc... If you understand what pam_shield does (eg. read the 
documentation), you'd never want to enable it for all PAM services that 
use system-auth. EVER.

-- 
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]