StarlingX

sysadmin user not locked out after 5 wrong password attempts

Bug #1834116 reported by Peng Peng on 2019-06-25

This bug report is a duplicate of: Bug #1814345: System account doesn't block after invalid login attempts. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Saul Wold

Bug Description

Brief Description
-----------------
login as: sysadmin, after 5 wrong password attempt, system does not logout and still could login by correct password

Severity
--------
Major

Steps to Reproduce
------------------
1. 5 wrong password attempt
2. login by correct password

TC-name: test_linux_user_lockout

Expected Behavior
------------------
system lockout and can not login

Actual Behavior
----------------
login success

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Multi-node system

Lab-name: wcp_63-66

Branch/Pull Time/Commit
-----------------------
stx master as of 20190622T013000Z

Last Pass
---------
20190503T013000Z

Timestamp/Logs
--------------
2019-06-23 04:07:57,399] 792 INFO MainThread test_linux_user_password_aging.test_linux_user_lockout:: 1: Expecting to fail to login with invalid password, host:128.224.151.85, user:sysadmin, password:123

[2019-06-23 04:07:57,400] 710 INFO MainThread test_linux_user_password_aging.log_in_raw:: logging onto host:128.224.151.85 as user:sysadmin with password:123

After 5 times attempt

[2019-06-23 04:08:12,134] 747 INFO MainThread test_linux_user_password_aging.log_in_raw:: Error, expecting to fail but actually logged in, host:128.224.151.85 as user:sysadmin with password:Li69nux*

output before:, after:
Last failed login: Sun Jun 23 04:08:11 UTC 2019 from 128.224.150.21 on ssh:notty
There were 10 failed login attempts since the last successful login.
Last login: Sun Jun 23 04:07:57 2019 from 128.224.150.21

/etc/motd.d/00-header:

[H[2J
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.

[?1034hcontroller-1:~$

Test Activity
-------------
Regression Testing

Tags:

Numan Waheed (nwaheed) on 2019-06-26

tags:

added: stx.regression stx.retestneeded

Ghada Khalil (gkhalil) on 2019-06-26

summary:	- linux_user 5 WRONG password attamp lockout failed + linux user not locked out after 5 wrong password attempts
summary:	- linux user not locked out after 5 wrong password attempts + sysadmin user not locked out after 5 wrong password attempts

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-06-28:

Marking as stx.2.0 gating; was working until recently, so perhaps something was missed in the transition from wrsroot to sysadmin.

Assigning to Saul to review or re-assign to someone in his team

tags:	added: stx.2.0 stx.security
Changed in starlingx:
importance:	Undecided → Medium
status:	New → Triaged
assignee:	nobody → Saul Wold (sgw-starlingx)

Revision history for this message

Saul Wold (sgw-starlingx) wrote on 2019-07-01:

Interesting, this is not code that I have changed. This would normally be handled by PAM and I reviewed the changes to the pam configuration can not find that the faillock (which is the module) that would do the locking has never been referenced.

I found references to faillock in the new test repo's tests here [1]

:Test ID: SECURITY_password_rule_setup_03
:Test Title: password rule locked out.
:Tags: psswd

It had a "Test Setup" section that required editing the pam.d files to enable the faillock module.

[1] doc/source/manual_tests/security/security_passw_rule_setup.rst

Is it possible the test listed in this bug report is run after the manual modifications for the password rule locked out test?

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-07-09:

The fix was submitted for the duplicate bug:
https://review.opendev.org/669279

Merged on 2019-07-09

Changed in starlingx:
status:	Triaged → Fix Released

Peng Peng (ppeng) on 2019-07-25

tags:

removed: stx.retestneeded

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-07-26:

An additional fix was required for the duplicate bug:
https://review.opendev.org/670955

Merged on 2019-07-26

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1814345 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.