On Fri, 27 Aug 2010, A. Kirillov wrote: >>>> Yesterday I installed pam_shield and followed the testing suggested and >>>> thought all was well. >>>> today I find that I cannot get to my email account, I can login via ssh okay >>>> (uses keys) but su and sudo give >>>> segmentation faults. I am guessing due to the pam module causing a problem. >>>> As I cannot do remote login as root and sudo and su use pam I appear to have >>>> locked myself out. >>> >>> I have not encountered this issue. And I have been using it on 32bit and >>> 64bit machines with RHEL4 and RHEL5. I guess it must be related to a >>> configuration issue somewhere. Not good though. >>> >>> Was this with the 0.9.2 release, or the 0.9.3 release ? >>> >>> Please provide this information to the author, he might help you find the >>> cause and fix it in pam_shield. >>> >>> Thanks for reporting, >> >> Update - running 0.9.2 release on both a .386 and a .x86_64 system >> I think the location of the >> auth optional pam_shield.so >> line within the /etc/pam.d/ config files is important?? >> I had an error on the 64 bit machine thus it was not running - I have >> now fixed and after looking at the response from S.Tindall I have moved >> the line to the location as shown in /etc/pam.d/system-auth-ac: >> <snip> >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_krb5.so use_first_pass >> auth optional pam_shield.so >> auth required pam_deny.so >> <snip> >> Lets see if this works. > > I've tried that too and it was a good suggestion > as su now crashes only if you enter a wrong password. > I've also tried to rebuild rpmforge srpm with no luck. > Could you really make this thing work? I mean did it > actually block anything after a series of failed logins? As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd ------ #%PAM-1.0 auth optional pam_shield.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so ------ You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER. -- -- dag wieers, dag at wieers.com, http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors]