Anmeldung via ssh trotz Kontosperrung möglich! / Registration via ssh is possible even though account is blocked

JaPe · October 2, 2018, 12:00pm

Hallo,
bei dem Versuch, das Konto von Benutzern nach drei fehlerhaften Anmeldeversuchen zu sperren, ist mir aufgefallen, dass diese Sperrung offensichtlich nur für Windows Clients greift. Eine Anmeldung an einem Debian-Linux Client via ssh ist möglich.
Es sind folgende Eintragungen in der Univention Registry vorgenommen worden:
auth/faillog: yes
auth/faillog/limit: 3
auth/faillog/lock_global: yes
auth/faillog/root:
auth/faillog/unlock_time: 180

Der Befehl univention-app info liefert:
UCS:4.3-2 errata 229
Installed: Cups=2.2.1 dhcp-server=12.0 kde=5.8 nagios=4.3 radius=5.0 samba4=4.7

Es folgt ein Auszug aus der /var/log/auth.log des Debian Clients:

## = Eingefügte Kommentare
##Richtiges password(Konto in UMC noch nicht gesperrt):
Oct  2 11:22:51 debian2 sshd[1834]: pam_krb5(sshd:auth): user testuser authenticated as testuser@example.com
Oct  2 11:22:51 debian2 sshd[1834]: Accepted password for testuser from 192.168.4.46 port 36101 ssh2
Oct  2 11:22:51 debian2 sshd[1834]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Oct  2 11:22:51 debian2 systemd-logind[1079]: New session 9 of user testuser.
Oct  2 11:22:51 debian2 systemd: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)

##Abmelden vom Client:
Oct  2 11:23:03 debian2 sshd[1834]: pam_unix(sshd:session): session closed for user testuser
Oct  2 11:23:03 debian2 systemd-logind[1079]: Removed session 9.

##Dreimal falsches password beim Anmelden am Linux Client:
Oct  2 11:23:45 debian2 sshd[1866]: pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46
Oct  2 11:23:45 debian2 sshd[1866]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46  user=testuser
Oct  2 11:23:45 debian2 sshd[1866]: pam_ldap(sshd:auth): Authentication failure; user=testuser
Oct  2 11:23:46 debian2 sshd[1866]: Failed password for testuser from 192.168.4.46 port 36102 ssh2
Oct  2 11:23:49 debian2 sshd[1866]: pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46
Oct  2 11:23:49 debian2 sshd[1866]: pam_ldap(sshd:auth): Authentication failure; user=testuser
Oct  2 11:23:51 debian2 sshd[1866]: Failed password for testuser from 192.168.4.46 port 36102 ssh2
Oct  2 11:23:54 debian2 sshd[1866]: pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46
Oct  2 11:23:54 debian2 sshd[1866]: pam_ldap(sshd:auth): Authentication failure; user=testuser
Oct  2 11:23:56 debian2 sshd[1866]: Failed password for testuser from 192.168.4.46 port 36102 ssh2
Oct  2 11:23:56 debian2 sshd[1866]: Connection closed by 192.168.4.46 port 36102 [preauth]
Oct  2 11:23:56 debian2 sshd[1866]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46  user=testuser
##Ab hier ist das Konto in der UMC gesperrt:

##Richtiges Password am Linux Client:
Oct  2 11:24:35 debian2 sshd[1868]: pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46
Oct  2 11:24:35 debian2 sshd[1868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.4.46  user=testuser
Oct  2 11:24:35 debian2 sshd[1868]: Accepted password for testuser from 192.168.4.46 port 36103 ssh2
Oct  2 11:24:35 debian2 sshd[1868]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Oct  2 11:24:35 debian2 systemd-logind[1079]: New session 11 of user testuser.
Oct  2 11:24:35 debian2 systemd: pam_unix(systemd-user:session): session opened for user testuser by (uid=0)

##Abmelden:
Oct  2 11:24:42 debian2 sshd[1868]: pam_unix(sshd:session): session closed for user testuser
Oct  2 11:24:42 debian2 systemd-logind[1079]: Removed session 11.

Mein Ziel ist das Sperren das Benutzerkontos für alle Arten der Anmeldung, also egal ob man sich von einem Windows oder einem Linux Client anmelden möchte.
Wo liegt das Problem?

Hello,
while trying to lock users’ accounts after three failed login attempts, I’ve noticed that this lock seems to work only for Windows clients. It is possible to log into a Debian Linux client via ssh.
The following entries have been made in the Univention Registry:
auth/faillog: yes
auth/faillog/limit: 3
auth/faillog/lock_global: yes
auth/faillog/root:
auth/faillog/unlock_time: 180

The command univention-app info leads to:
UCS:4.3-2 errata 229
Installed: Cups=2.2.1 dhcp-server=12.0 kde=5.8 nagios=4.3 radius=5.0 samba4=4.7

My goal is to lock the user account for all types of login, so whether you want to log in from a Windows or a Linux client.
Where is the problem?

Vielen Dank
Jan-Peter

externa1 · October 3, 2018, 12:36pm

Hi,

I tested this with UCS 4.3-2 errata257

with limit of 5 failed logins (default value)

and for me that worked as it should - no login possible through ssh

rg
Christian

JaPe · October 4, 2018, 6:41am

Hello Christian,
how did you set up the Linux (Debian) client? With sssd or with libnsss-ldapd. I did not manage it with sssd and therefore took libnss-ldapd. Now I have the impression that something with the pam is not working properly.

Vielen Dank
Jan-Peter