On 1/15/25 06:03, Matthias Gerstner wrote:
There exist utility modules that don't actually authenticate but perform helper functions or enforce policy. An example is the pam_faillock [8] module, which can be added to the `auth` management group to record failed authentication attempts and lock the account for a certain time if too many failed attempts occur. This module will return `PAM_SUCCESS` when running in "preauth" mode and if the maximum number of failed attempts has not been reached yet. In such a case `PAM_SUCCESS` would become the overall authentication result when pam-u2f returns `PAM_IGNORE`.
This looks to me like a logic error in PAM. Why are utility modules that do not actually perform authentication returning PAM_SUCCESS (indicating successful authentication(!)) instead of PAM_IGNORE or some other "neutral" code?
Is this a widespread misconfiguration? Is there a keyword that causes PAM to treat failure as failure but ignore PAM_SUCCESS that should be used with those utility modules?
-- Jacob
