pam 1.6.1-2 breaks sudo password
Hello. I noticed that pam 1.6.1-2 breaks sudo. Every time I tried to enter my password with a sudo command, it tells me my password is incorrect. Of course, it is not. The "fix" was to downgrade to pam 1.6.1-1. Hope it helps! -- Frederic Bezies fredbezies@gmail.com Blog: https://fredericbezies-ep.fr/blog/
El vie, 12-04-2024 a las 08:21 +0200, Frederic Bezies escribió:
Hello.
Hi!
I noticed that pam 1.6.1-2 breaks sudo. Every time I tried to enter my password with a sudo command, it tells me my password is incorrect. Of course, it is not.
The "fix" was to downgrade to pam 1.6.1-1.
Are you absolutely sure there is nothing else? I mean, the only thing you change is that package? I comment this because what the version change from 1.6.1-1 to 1.6.1-2 does is simply add a missing dependency[1], but does not modify anything, so it seems very very very very strange to me that this could cause what you say. Greetings. [1]:https://gitlab.archlinux.org/archlinux/packaging/packages/pam/-/commit/89b5c... -- Óscar García Amor | ogarcia at moire.org | http://ogarcia.me
Am 12.04.24 um 08:21 schrieb Frederic Bezies:
Hello.
I noticed that pam 1.6.1-2 breaks sudo. Every time I tried to enter my password with a sudo command, it tells me my password is incorrect. Of course, it is not.
The "fix" was to downgrade to pam 1.6.1-1.
Both variants with and without `NOPASSWD` configured work fine on my setup with pam-1.6.1-2. Regards, Uwe
Hope it helps!
Are you sure you're not just hitting the new(old at this point) idiotic default of always failing after X failed attempts in Y time? That would mean you mistyped the password a few times, but afterwards it would not matter even if you typed it correctly. Rebooting will get you out of the timelock Can you upgrade back, try and enter it and see if it works now? Martin On Fri, Apr 12, 2024 at 9:40 AM Frederic Bezies <fredbezies@gmail.com> wrote:
Hello.
I noticed that pam 1.6.1-2 breaks sudo. Every time I tried to enter my password with a sudo command, it tells me my password is incorrect. Of course, it is not.
The "fix" was to downgrade to pam 1.6.1-1.
Hope it helps!
-- Frederic Bezies fredbezies@gmail.com Blog: https://fredericbezies-ep.fr/blog/
On Friday, 12 April 2024 at 10:10 (+0200), Martin Rys wrote:
Are you sure you're not just hitting the new(old at this point) idiotic default of always failing after X failed attempts in Y time? That would mean you mistyped the password a few times, but afterwards it would not matter even if you typed it correctly.
Rebooting will get you out of the timelock
FYI, the "idiotic default" may feel less annoying when you use the documented solution: $ faillock --reset as your user will reset the counter. So, if you make some mistypes while invoking sudo, you can unlock use of your password instantly from the same shell where you messed up. On the other hand, if you're locked out while logging in, before you have access to a shell, then running # faillock --reset --user [your username] as root will do the same. Note that by default root has no fail lock, so this solution should always be possible. I hope this saves you a few reboots. Best, Jaron
FYI, the "idiotic default" may feel less annoying when you use the documented solution
Would be great if one got this as an error message when the logins start timing out. Unfortunately that's not the case, the UX is beyond terrible, you get the same identical error for a WRONG password as for the TIMED OUT password, making people waste time and be frustrated to the point of going on mailing lists. It serves no purpose other than a terrible protection layer for people using insecure bruteforcable passwords, but it REALLY isn't much better that instead you can just DOS user logins instead, and users do it by accident, with no information that it happened. Someone with spare time should raise some complaints on the appropriate issue trackers, if they weren't already. It's much less annoying when you revert to the old behavior and just disable it: https://gitlab.com/C0rn3j/configs/-/blob/ebac36cd8508d71a5d759b326a3c23f9c03... https://gitlab.com/C0rn3j/configs/-/blob/ebac36cd8508d71a5d759b326a3c23f9c03... Martin On Fri, Apr 12, 2024 at 10:31 AM Jaron Kent-Dobias <jaron@kent-dobias.com> wrote:
On Friday, 12 April 2024 at 10:10 (+0200), Martin Rys wrote:
Are you sure you're not just hitting the new(old at this point) idiotic default of always failing after X failed attempts in Y time? That would mean you mistyped the password a few times, but afterwards it would not matter even if you typed it correctly.
Rebooting will get you out of the timelock
FYI, the "idiotic default" may feel less annoying when you use the documented solution:
$ faillock --reset
as your user will reset the counter. So, if you make some mistypes while invoking sudo, you can unlock use of your password instantly from the same shell where you messed up.
On the other hand, if you're locked out while logging in, before you have access to a shell, then running
# faillock --reset --user [your username]
as root will do the same. Note that by default root has no fail lock, so this solution should always be possible.
I hope this saves you a few reboots.
Best, Jaron
Hi there, On Fri, Apr 12, 2024 at 11:36:43AM +0200, Martin Rys wrote:
FYI, the "idiotic default" may feel less annoying when you use the documented solution
Would be great if one got this as an error message when the logins start timing out.
Unfortunately that's not the case, the UX is beyond terrible, you get the same identical error for a WRONG password as for the TIMED OUT password, making people waste time and be frustrated to the point of going on mailing lists.
It's common practice to not give an attacker more info than needed, so "wrong password" and "locked user" is most likely intended to give the same error message. -- Georg
It's common practice to not give an attacker more info than needed
Which does not necessitate LYING to the user. A static "Password wrong or login timeout in effect <more helpful info on how that tworks>" would also be infinitely better. Martin On Fri, Apr 12, 2024 at 2:25 PM Georg Pfahler <georg@grgw.de> wrote:
Hi there,
On Fri, Apr 12, 2024 at 11:36:43AM +0200, Martin Rys wrote:
FYI, the "idiotic default" may feel less annoying when you use the documented solution
Would be great if one got this as an error message when the logins start timing out.
Unfortunately that's not the case, the UX is beyond terrible, you get the same identical error for a WRONG password as for the TIMED OUT password, making people waste time and be frustrated to the point of going on mailing lists.
It's common practice to not give an attacker more info than needed, so "wrong password" and "locked user" is most likely intended to give the same error message.
-- Georg
On Fri, 12 Apr 2024 at 13:53, Martin Rys <spleefer90@gmail.com> wrote:
It's common practice to not give an attacker more info than needed
Which does not necessitate LYING to the user.
I think we're a bit over-reacting here. I've fallen foul of this myself also, trying to log into my X not realising that my keyboard layout wasn't applied correctly. But I'm actually in favour restricting the amount of login attempts that can be done, as it is in line with PCI/DSS practices and although many people won't know what that means, just consider them best-practices. The implementation of these timeouts don't provide a method for sending an extra message to the user as to why their login attempt failed, but Linux is open source, so feel free to submit proposals and pull requests to make it more to your liking :-P
On Friday, 12 April 2024 at 13:59 (+0100), Andy Pieters wrote:
The implementation of these timeouts don't provide a method for sending an extra message to the user as to why their login attempt failed, but Linux is open source, so feel free to submit proposals and pull requests to make it more to your liking :-P
In fact, when you attempt to log in from the console while a fail lock has been activated, there is a message printed informing the user that they have used too many password attempts. It even reports the amount of time left on the lock. I guess that it is up to individual applications that use PAM authentication to find out why their authentication request has been denied, and then decide to tell the user. Having the fail lock refuse authentication using the same API as a wrong password at least provides backwards compatibility for an application like sudo that hasn't added this feature (or has decided not to add it). Best, Jaron
On 2024-04-12 at 13:59:08 +0100, Andy Pieters <arch-general@andypieters.me.uk> wrote:
On Fri, 12 Apr 2024 at 13:53, Martin Rys <spleefer90@gmail.com> wrote:
It's common practice to not give an attacker more info than needed
Which does not necessitate LYING to the user.
In the old days, login(1) used to try to be helpful by separating bad usernames from bad passwords. Because that's bad for security, bad implementations changed to "login failed," but good implementation changed to "bad username or password" and also referenced the caps lock and/or num lock keys. The difference is subtle, but a huge win for usability, and not a loss for security.
I think we're a bit over-reacting here. I've fallen foul of this myself also, trying to log into my X not realising that my keyboard layout wasn't applied correctly.
That's a different class of problem, although very much on a likely path to getting locked out. At least my screen locker is nice enough to tell me the state of my caps lock key, and it could tell me the keyboard layout, too, if I hadn't disabled it. Some display managers have similar capabilities. Fans of Windows used to say that Unix was like a car whose dashboard contained nothing, until something (anything) went wrong, and then displayed a flashing red question mark.
But I'm actually in favour restricting the amount of login attempts that can be done, as it is in line with PCI/DSS practices and although many people won't know what that means, just consider them best-practices.
Many of those practices make a lot of assumptions that don't apply to my laptop, of which I am the only user, and which nearly never leaves my physical possession. Yes, it's connected to the internet, and yes, it could be stolen (from my couch, from a hotel room, inside my backpack, etc.), but best practices for a semi-public or corporate shared server are much different from best practices for my non-shared, effectively single-user laptop.
The implementation of these timeouts don't provide a method for sending an extra message to the user as to why their login attempt failed, but Linux is open source, so feel free to submit proposals and pull requests to make it more to your liking :-P
Someone already posted a link to a config file that makes a personal computer behave more like a personal computer. So all we're talking about here (I think) is tweaking the settings for your particular needs.
Are you sure you're not just hitting the new(old at this point) idiotic default of always failing after X failed attempts in Y time? That would mean you mistyped the password a few times, but afterwards it would not matter even if you typed it correctly. Hello. This is a response not only to the above message, but also to many down in this thread.
If one has a strong passphrase configured, understands basic security, and happens to be on their local home computer, faillock may be configured to use different options. For example I have it ~turned off altogether⁽¹⁾ and so do many people in a similar situation. The defaults are meant to provide sane security in the baseline case. Not only in faillock, but with everything. One installs a package, it doesn’t do something risky by default. Sounds reasonable, doesn’t it? And in the baseline case a 15 minutes lock after 3 failed logins in 10 minutes provides between a few hours to a day delay for the adversary, giving the sys/net admin enough time to detect and react. A 15 minute lock is also reasonably tamper-evident for the baseline case user. You may dislike UX decision, but you should get used to it: because now this becomes common best practice, in particular for network-facing services. The primary reason is avoiding side channel attacks, leading to the basic secure implementation not being able to distinguish between these two cases. Even where it could be possible, per WSTG-IDNT-04 it shouldn’t be possible to make such distinction. That’s not only a security feature, but also a user privacy improvement. Please be aware, that in the model the message goes not to an authorized user. Obviously it can’t, given the authorization has failed. Which means the recipient is an actor not permitted to receive this information. The always-authorized actor is the administrator and they have access to the detailed cause: it’s in the logs. Of course one may invent an edge case, where this isn’t needed. But mere existence of such cases is not really relevant, when they are not representative of the entire landscape. So please consider changing tone a bit; cheers. ____ ⁽¹⁾ 999 attempts, 1 s lock.
The current UX is terrible, it explicitly lies to the user, as was explained in my earlier message, and someone else explaining systems now say that either username or login being wrong, but not which one. Same here, if you're adding a third thing, simply say that the third thing could also be the reason behind the failed login attempt. "Wrong username, wrong password, or login timeout is active" If you disagree with this, do explain how Frederic should have known the timeout even existed, think whether that's a good UX, and if it can perhaps be improved by informing the user. Martin On Sat, Apr 13, 2024, 01:39 mpan <archml-y1vf3axu@mpan.pl> wrote:
Are you sure you're not just hitting the new(old at this point) idiotic default of always failing after X failed attempts in Y time? That would mean you mistyped the password a few times, but afterwards it would not matter even if you typed it correctly. Hello. This is a response not only to the above message, but also to many down in this thread.
If one has a strong passphrase configured, understands basic security, and happens to be on their local home computer, faillock may be configured to use different options. For example I have it ~turned off altogether⁽¹⁾ and so do many people in a similar situation.
The defaults are meant to provide sane security in the baseline case. Not only in faillock, but with everything. One installs a package, it doesn’t do something risky by default. Sounds reasonable, doesn’t it? And in the baseline case a 15 minutes lock after 3 failed logins in 10 minutes provides between a few hours to a day delay for the adversary, giving the sys/net admin enough time to detect and react. A 15 minute lock is also reasonably tamper-evident for the baseline case user.
You may dislike UX decision, but you should get used to it: because now this becomes common best practice, in particular for network-facing services. The primary reason is avoiding side channel attacks, leading to the basic secure implementation not being able to distinguish between these two cases. Even where it could be possible, per WSTG-IDNT-04 it shouldn’t be possible to make such distinction. That’s not only a security feature, but also a user privacy improvement.
Please be aware, that in the model the message goes not to an authorized user. Obviously it can’t, given the authorization has failed. Which means the recipient is an actor not permitted to receive this information. The always-authorized actor is the administrator and they have access to the detailed cause: it’s in the logs.
Of course one may invent an edge case, where this isn’t needed. But mere existence of such cases is not really relevant, when they are not representative of the entire landscape.
So please consider changing tone a bit; cheers. ____ ⁽¹⁾ 999 attempts, 1 s lock.
I noticed that pam 1.6.1-2 breaks sudo. Every time I tried to enter my password with a sudo command, it tells me my password is incorrect. Of course, it is not. Similar to what was requested in the forum thread,⁽¹⁾ please provide the output of `pacman -Qii sudo pambase`. 1.6.1-2 works here. Cheers
participants (9)
-
2QdxY4RzWzUUiLuE@potatochowder.com
-
Andy Pieters
-
Frederic Bezies
-
Georg Pfahler
-
Jaron Kent-Dobias
-
Martin Rys
-
mpan
-
Uwe Sauter
-
Óscar García Amor