| 2021-05-08 00:12:15 |
Richard Maciel Costa |
bug |
|
|
added bug |
| 2021-05-08 00:12:15 |
Richard Maciel Costa |
attachment added |
|
Zip file containg debdiffs of all PAM packages for current supported and for the next distro https://bugs.launchpad.net/bugs/1927796/+attachment/5495607/+files/debdiffs.tgz |
|
| 2021-05-10 21:32:57 |
Launchpad Janitor |
pam (Ubuntu): status |
New |
Confirmed |
|
| 2021-05-10 21:35:57 |
Mark Cunningham |
description |
[IMPACT]
There is a known issue in pam_tally2 which may cause an account to be lock down even with correct password, in a busy node environment where simultaneous logins takes place (https://github.com/linux-pam/linux-pam/issues/71).
There are already two customer cases from the US Army complaining about this behavior (https://canonical.lightning.force.com/lightning/r/Case/5004K000003vkq4QAA/view and https://canonical.lightning.force.com/lightning/r/Case/5004K000003tkbmQAA/view).
Also, potentially, this will cause further problems in the future, since both STIG benchmarks and CIS benchmarks rely on pam_tally2 to lock accounts when wrong passwords are used. And both benchmarks - but specially STIG - requires use of a lot of audit rules, which can lead to the busy node environment.
The issue impacts all pam_tally2 versions distributed in all currently supported Ubuntu versions and also the next unreleased one. Note that, according to https://github.com/linux-pam/linux-pam/issues/71, there is no plan to fix this issue!
[FIX]
This fix proposes to add pam_faillock module to the PAM package, so users of pam_tally2 having issues can migrate to pam_faillock. We also plan to modify the current STIG benchmarks to rely on pam_faillock instead of pam_tally2, but in order to do so, we need the pam_faillock module to be available.
Note that we don't propose to remove pam_tally2, since not every user of this module is affected.
[TEST]
Tested on a VM installed with Focal server iso and on another with Bionic server iso. Enabled pam_faillock module as recommeded by its man page. Then tried to log over ssh with an incorrect password, until the account got locked. Waited for the configured grace time to unlock and logged in using the correct password.
Note that, since the pam_tally2 issue is caused by a racing condition, with a hard to recreate environment (we could not even reproduce it with pam_tally2), we could not reproduce the conditions to test pam_faillock with.
[REGRESSION POTENTIAL]
The regression potential for this is small, since we're not removing the old pam_tally2 module, just adding another one. So anyone still using pam_tally2 will be able to do so. |
[IMPACT]
There is a known issue in pam_tally2 which may cause an account to be lock down even with correct password, in a busy node environment where simultaneous logins takes place (https://github.com/linux-pam/linux-pam/issues/71).
There are already two customer cases from Canonical clients complaining about this behavior (00297697 and 00303806).
Also, potentially, this will cause further problems in the future, since both STIG benchmarks and CIS benchmarks rely on pam_tally2 to lock accounts when wrong passwords are used. And both benchmarks - but specially STIG - requires use of a lot of audit rules, which can lead to the busy node environment.
The issue impacts all pam_tally2 versions distributed in all currently supported Ubuntu versions and also the next unreleased one. Note that, according to https://github.com/linux-pam/linux-pam/issues/71, there is no plan to fix this issue!
[FIX]
This fix proposes to add pam_faillock module to the PAM package, so users of pam_tally2 having issues can migrate to pam_faillock. We also plan to modify the current STIG benchmarks to rely on pam_faillock instead of pam_tally2, but in order to do so, we need the pam_faillock module to be available.
Note that we don't propose to remove pam_tally2, since not every user of this module is affected.
[TEST]
Tested on a VM installed with Focal server iso and on another with Bionic server iso. Enabled pam_faillock module as recommeded by its man page. Then tried to log over ssh with an incorrect password, until the account got locked. Waited for the configured grace time to unlock and logged in using the correct password.
Note that, since the pam_tally2 issue is caused by a racing condition, with a hard to recreate environment (we could not even reproduce it with pam_tally2), we could not reproduce the conditions to test pam_faillock with.
[REGRESSION POTENTIAL]
The regression potential for this is small, since we're not removing the old pam_tally2 module, just adding another one. So anyone still using pam_tally2 will be able to do so. |
|
| 2021-05-10 22:28:37 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
| 2021-05-11 10:38:47 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Focal |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
bug task added |
|
pam (Ubuntu Focal) |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
bug task added |
|
pam (Ubuntu Hirsute) |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
bug task added |
|
pam (Ubuntu Groovy) |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
bug task added |
|
pam (Ubuntu Bionic) |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Impish |
|
| 2021-05-11 10:38:47 |
Marc Deslauriers |
bug task added |
|
pam (Ubuntu Impish) |
|
| 2021-05-11 16:41:40 |
Marc Deslauriers |
attachment added |
|
Hirsute debdiff https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+attachment/5496423/+files/pam_1.3.1-5ubuntu6.21.04.1.debdiff |
|
| 2021-05-11 16:42:05 |
Marc Deslauriers |
attachment added |
|
Groovy debdiff https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+attachment/5496424/+files/pam_1.3.1-5ubuntu6.20.10.1.debdiff |
|
| 2021-05-11 16:42:27 |
Marc Deslauriers |
attachment added |
|
Focal debdiff https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+attachment/5496425/+files/pam_1.3.1-5ubuntu4.2.debdiff |
|
| 2021-05-11 16:42:49 |
Marc Deslauriers |
attachment added |
|
Bionic debdiff https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+attachment/5496426/+files/pam_1.1.8-3.6ubuntu2.18.04.3.debdiff |
|
| 2021-05-11 17:16:51 |
Marc Deslauriers |
pam (Ubuntu Bionic): status |
New |
In Progress |
|
| 2021-05-11 17:16:54 |
Marc Deslauriers |
pam (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-05-11 17:16:58 |
Marc Deslauriers |
pam (Ubuntu Groovy): status |
New |
In Progress |
|
| 2021-05-11 17:17:00 |
Marc Deslauriers |
pam (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2021-05-11 17:17:03 |
Marc Deslauriers |
pam (Ubuntu Impish): status |
Confirmed |
Fix Committed |
|
| 2021-05-11 17:17:16 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-05-11 21:43:26 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
| 2021-05-13 05:59:07 |
Matthew Ruffell |
bug |
|
|
added subscriber Matthew Ruffell |
| 2021-05-13 14:55:20 |
Łukasz Zemczak |
pam (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
| 2021-05-13 14:55:24 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
| 2021-05-13 14:55:27 |
Łukasz Zemczak |
tags |
pam-faillock pam-tally2 |
pam-faillock pam-tally2 verification-needed verification-needed-hirsute |
|
| 2021-05-13 15:19:22 |
Łukasz Zemczak |
pam (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
| 2021-05-13 15:19:27 |
Łukasz Zemczak |
tags |
pam-faillock pam-tally2 verification-needed verification-needed-hirsute |
pam-faillock pam-tally2 verification-needed verification-needed-groovy verification-needed-hirsute |
|
| 2021-05-13 15:24:48 |
Łukasz Zemczak |
pam (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-05-13 15:24:54 |
Łukasz Zemczak |
tags |
pam-faillock pam-tally2 verification-needed verification-needed-groovy verification-needed-hirsute |
pam-faillock pam-tally2 verification-needed verification-needed-focal verification-needed-groovy verification-needed-hirsute |
|
| 2021-05-13 15:47:55 |
Łukasz Zemczak |
pam (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2021-05-13 15:48:02 |
Łukasz Zemczak |
tags |
pam-faillock pam-tally2 verification-needed verification-needed-focal verification-needed-groovy verification-needed-hirsute |
pam-faillock pam-tally2 verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-hirsute |
|
| 2021-05-19 01:42:10 |
Matthew Ruffell |
tags |
pam-faillock pam-tally2 verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy verification-needed-hirsute |
pam-faillock pam-tally2 sts verification-done-bionic verification-needed verification-needed-focal verification-needed-groovy verification-needed-hirsute |
|
| 2021-05-19 01:43:52 |
Matthew Ruffell |
tags |
pam-faillock pam-tally2 sts verification-done-bionic verification-needed verification-needed-focal verification-needed-groovy verification-needed-hirsute |
pam-faillock pam-tally2 sts verification-done-bionic verification-done-focal verification-needed verification-needed-groovy verification-needed-hirsute |
|
| 2021-05-19 01:52:55 |
Matthew Ruffell |
tags |
pam-faillock pam-tally2 sts verification-done-bionic verification-done-focal verification-needed verification-needed-groovy verification-needed-hirsute |
pam-faillock pam-tally2 sts verification-done-bionic verification-done-focal verification-done-hirsute verification-needed verification-needed-groovy |
|
| 2021-05-19 02:10:29 |
Matthew Ruffell |
tags |
pam-faillock pam-tally2 sts verification-done-bionic verification-done-focal verification-done-hirsute verification-needed verification-needed-groovy |
pam-faillock pam-tally2 sts verification-done verification-done-bionic verification-done-focal verification-done-groovy verification-done-hirsute |
|
| 2021-05-20 18:12:00 |
Launchpad Janitor |
pam (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
| 2021-05-24 08:47:23 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-05-24 08:50:39 |
Launchpad Janitor |
pam (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2021-05-24 10:03:33 |
Launchpad Janitor |
pam (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2021-05-24 10:23:55 |
Launchpad Janitor |
pam (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-05-27 11:06:56 |
Launchpad Janitor |
pam (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
