Bizarre pam_tally / sudo error: locking me out, "tally underflowed"
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Bizarre pam_tally / sudo error: locking me out, "tally underflowed"
I have a SLES 11.1 (PPC) server that keeps locking me out even when I don't fail logins. I determined that when sudo asks for my password, even when I authenticate correctly on the first try, my fail count is increased:
Code:
alucard@fileserver:~$ sudo /usr/sbin/faillog -u alucard
Login Failures Maximum Latest On
alucard 0 0 09/02/10 15:30:44 -0400 /dev/pts/1
alucard@fileserver:~$ sudo -k
alucard@fileserver:~$ sudo /usr/sbin/faillog -u alucard
alucard's password:
Login Failures Maximum Latest On
alucard 1 0 09/02/10 15:30:58 -0400 /dev/pts/1
Why would sudo do this? sudo-1.6.9p17-21.3.1 is the package version installed.
"Tally underflowed for user" only has two Google results before this post, both of which are chat logs and neither of which help. Any idea what the heck it means?
I have changed two PAM files as follows due to security requirements. The entire contents of the files follow.
common-password-pc:
I don't use SLES, but I'm presuming that common-auth-pc is an include used by both sshd's PAM config and sudo's PAM config (and probably some others).
Out of curiosity, do your security requirements state that you must use pam_tally for all PAM-enabled services, or would they be satisfied if you were to enable it for only sshd?
(I think you can see what I'm getting at. I don't have a direct answer to your sudo + pam_tally issue, but if policy doesn't require it you could simply stop including common-auth-pc in sudo's PAM config, and instead directly require pam_env and pam_unix2 there.)
Looks like I can't without breaking the requirements. They state that the modifications must appear in the common control file or "in all /etc/pam.d control files which require login authentication."
"Tally underflowed for user" only has two Google results before this post, both of which are chat logs and neither of which help. Any idea what the heck it means?
a warning for overflow seems OK but for underflow?..
Quote:
Originally Posted by AlucardZero
Why would sudo do this? (..)
Code:
Sep 2 15:30:58 fileserver sudo: pam_tally(sudo:setcred): Tally underflowed for user root
It's not Sudo doing this. Sudo is only the PAM "service", as your log shows it's pam_tally doing "setcred". From /usr/share/doc/pam-/txts/pam_tally2: "Authentication phase first checks if user should be denied access and if not it increments attempted login counter. Then on call to pam_setcred it resets the attempts counter if the user is NOT magic root.". (The pam_setcred function is used to establish, maintain and delete the credentials of a user. It should be called after a user has been authenticated).
Now I don't use SLES either but I know PAM provides two tally modules: pam_tally and pam_tally2 which seems to be a complete rewrite of pam_tally. Maybe it's worth testing but note pam_tally2 doesn't use /var/log/faillog but its own file because of changed format. There's also options to play with like unlock_time=n which could keep you from getting locked out completely and no_reset, maybe only decrementing the counter may work. If *that* doesn't work please check the vendors bug tracker for any clues. If none show up you could see if a version for a recent version of OpenSUSE works and if rebuilding it for your SLES wouldn't invalidate any commercial support. If that doesn't work for you then you could diff the pam_tally version you use with one anyone of us uses here (pam-0.99.6.2-6.el5_4.1.i386 here) to see if there's any differences. Doubtful but could happen. If that doesn't work for you then you have exhausted all other options and the only suggestion I can make is to call in support, after all SLES is an Enterprise product...
Solved by adding the account line to common-account:
Code:
account required pam_tally.so
With that my account is still locked due to SSH login failures, but not due to successful sudos anymore.
Here's /etc/pam.d/sudo for reference:
Code:
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
# session optional pam_xauth.so
Note how it doesn't include common-auth under "account." On RHEL 5, both auth and account phases include system-auth, and previously on this SLES11 I hadn't modified common-account. So that's why this happened to me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
