[CentOS] PAM_shield locking me out?

Fri Aug 27 12:27:13 UTC 2010
A. Kirillov <nevis2us at infoline.su>

> >>>> Yesterday I installed pam_shield and followed the testing suggested and
> >>>> thought all was well.
> >>>> today I find that I cannot get to my email account, I can login via ssh okay
> >>>> (uses keys) but su and sudo give
> >>>> segmentation faults. I am guessing due to the pam module causing a problem.
> >>>> As I cannot do remote login as root and sudo and su use pam I appear to have
> >>>> locked myself out.
> >>>
> >>> I have not encountered this issue. And I have been using it on 32bit and
> >>> 64bit machines with RHEL4 and RHEL5. I guess it must be related to a
> >>> configuration issue somewhere. Not good though.
> >>>
> >>> Was this with the 0.9.2 release, or the 0.9.3 release ?
> >>>
> >>> Please provide this information to the author, he might help you find the
> >>> cause and fix it in pam_shield.
> >>>
> >>> Thanks for reporting,
> >>
> >> Update - running 0.9.2 release on both a .386 and a .x86_64 system
> >> I think the location of the
> >> auth   optional    pam_shield.so
> >> line within the /etc/pam.d/ config files is important??
> >> I had an error on the 64 bit machine thus it was not running - I have
> >> now fixed and after looking at the response from S.Tindall I have moved
> >> the line to the location as shown in /etc/pam.d/system-auth-ac:
> >> <snip>
> >> auth        required      pam_env.so
> >> auth        sufficient    pam_unix.so nullok try_first_pass
> >> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> >> auth        sufficient    pam_krb5.so use_first_pass
> >> auth        optional      pam_shield.so
> >> auth        required      pam_deny.so
> >> <snip>
> >> Lets see if this works.
> >
> > I've tried that too and it was a good suggestion
> > as su now crashes only if you enter a wrong password.
> > I've also tried to rebuild rpmforge srpm with no luck.
> > Could you really make this thing work? I mean did it
> > actually block anything after a series of failed logins?
> 
> As I said, we use it for various services on all Internet-bound systems. 
> And yes it works fine. Example: /etc/pam.d/sshd
> 
> ------
> #%PAM-1.0
> auth       optional     pam_shield.so
> auth       include      system-auth
> account    required     pam_nologin.so
> account    include      system-auth
> password   include      system-auth
> session    optional     pam_keyinit.so force revoke
> session    include      system-auth
> session    required     pam_loginuid.so
> ------
> 
> You don't want to add this to /etc/pam.d/system-auth simply because it 
> makes no sense to enable pam_shield for things like su, screen, reboot, 
> etc... If you understand what pam_shield does (eg. read the 
> documentation), you'd never want to enable it for all PAM services that 
> use system-auth. EVER.

I'm in no way a pam expert, yes.
So I have to rely on the documentation which comes with the package.

# cat /usr/share/doc/pam_shield-0.9.3/INSTALL
...
If you want to use pam_shield for all services,
edit /etc/pam.d/common-auth.
Add the line

        auth optional   pam_shield.so

and that's that.
...

And that's about the only hint on how and where to enable pam_shield.
I've tried to add this line to /etc/pam.d/sshd too.
Fortunately it didn't crash anything but it didn't work either.

# diff -bB /etc/security/shield.conf.original /etc/security/shield.conf
56c56
< max_conns 10
---
> max_conns 3
67c67
< interval 5m
---
> interval 60
72c72
< retention 1w
---
> retention 60

The system is 64-bit centos 5.5, fully updated.
Switching off selinux didn't help.

So the question remains.
Could anybody besides the maintainer
make this very version of pam_shield (0.9.3-1.el5.rf.x86_64) work?

Thanks