Hello Richard, or anyone else affected, Accepted pam into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu6.21.04.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pam in Ubuntu. https://bugs.launchpad.net/bugs/1927796 Title: [SRU]pam_tally2 can cause accounts to be locked by correct password. pam_faillock use is the recommended fix Status in pam package in Ubuntu: Fix Committed Status in pam source package in Bionic: In Progress Status in pam source package in Focal: In Progress Status in pam source package in Groovy: In Progress Status in pam source package in Hirsute: Fix Committed Status in pam source package in Impish: Fix Committed Bug description: [IMPACT] There is a known issue in pam_tally2 which may cause an account to be lock down even with correct password, in a busy node environment where simultaneous logins takes place (https://github.com/linux-pam/linux-pam/issues/71). There are already two customer cases from Canonical clients complaining about this behavior (00297697 and 00303806). Also, potentially, this will cause further problems in the future, since both STIG benchmarks and CIS benchmarks rely on pam_tally2 to lock accounts when wrong passwords are used. And both benchmarks - but specially STIG - requires use of a lot of audit rules, which can lead to the busy node environment. The issue impacts all pam_tally2 versions distributed in all currently supported Ubuntu versions and also the next unreleased one. Note that, according to https://github.com/linux-pam/linux-pam/issues/71, there is no plan to fix this issue! [FIX] This fix proposes to add pam_faillock module to the PAM package, so users of pam_tally2 having issues can migrate to pam_faillock. We also plan to modify the current STIG benchmarks to rely on pam_faillock instead of pam_tally2, but in order to do so, we need the pam_faillock module to be available. Note that we don't propose to remove pam_tally2, since not every user of this module is affected. [TEST] Tested on a VM installed with Focal server iso and on another with Bionic server iso. Enabled pam_faillock module as recommeded by its man page. Then tried to log over ssh with an incorrect password, until the account got locked. Waited for the configured grace time to unlock and logged in using the correct password. Note that, since the pam_tally2 issue is caused by a racing condition, with a hard to recreate environment (we could not even reproduce it with pam_tally2), we could not reproduce the conditions to test pam_faillock with. [REGRESSION POTENTIAL] The regression potential for this is small, since we're not removing the old pam_tally2 module, just adding another one. So anyone still using pam_tally2 will be able to do so. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/1927796/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
