[CentOS] [SOLVED?] PAM_shield locking me out?

Wed Sep 1 15:01:20 UTC 2010
Dag Wieers <dag at wieers.com>

On Sat, 28 Aug 2010, A. Kirillov wrote:

>> And that's about the only hint on how and where to enable pam_shield.
>> I've tried to add this line to /etc/pam.d/sshd too.
>> Fortunately it didn't crash anything but it didn't work either.
>
> Here's the story for those interested. With the default of
>
> allow_missing_dns no
> allow_missing_reverse no
>
> pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries,
> which is a surprise. Should I say a big one? The reason it didn't work
> for me was that bind wasn't adding reverse maps for my local hosts
> because of screwed up zone file permissions.
>
> On a side note, when testing pam_shield with a recommended
> retention period of 60 secs you have to run /etc/cron.daily/pam-shield
> manually to release expired locks.

Welcome to the wonderful world of Open Source !

If you want to make a difference here, please talk to the upstream 
developers, rather than to this list.

Now, since I use pam_shield myself I have reported both problems (segfault 
of su and login when configuring in /etc/pam.d/system-auth, and the 
above). I haven't tested both, so any feedback or testcase to replicate 
the problem are welcomed by the upstream developers (does not include me).

We also discussed some other improvements:

  - using AUTHPRIV intead of AUTH for logging
  - including shield-trigger-iptables
  - Fixes to Makefile
  - Including manual pages
  - Fixes to INSTALL
  - Both registered bugs

Kind regards,
-- 
--   dag wieers,  dag at wieers.com,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]