Bug 57968 - UCR variables `auth/faillog`/`auth/faillog/lock_global` do not work at all with PAM service `univention-management-console`
Summary: UCR variables `auth/faillog`/`auth/faillog/lock_global` do not work at all wi...
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: PAM
Version: UCS 5.2
Hardware: Other Windows 10
: P5 normal
Target Milestone: UCS 5.2-2-errata
Assignee: Marius Meschter
QA Contact: Jürn Brodersen
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-17 18:22 CET by Jan-Luca Kiok
Modified: 2025-08-06 14:39 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.571
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Regression
Customer ID: 01527
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan-Luca Kiok univentionstaff 2025-02-17 18:22:56 CET 
## Context/description

With UCS: 5.2-0 errata26, when `auth/faillog` and `auth/faillog/lock_global` are enabled, this should lead to disabled user accounts when there are too many login attempts.

```
ucr set auth/faillog=yes
ucr set auth/faillog/lock_global=yes
```

This results in the file:

```pam
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/00_header
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/30_tally
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/35_oidc
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/40_saml
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/50_base
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/59_auth_end
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/60_account
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/70_session
# 	/etc/univention/templates/files/etc/pam.d/univention-management-console.d/80_password
# 

auth     [success=1 user_unknown=1 \
         default=bad]      pam_faillock.so preauth
auth     [default=die]     pam_runasroot.so program=/usr/lib/univention-pam/lock-user


account  required              pam_faillock.so



auth     sufficient        pam_unix.so try_first_pass
auth     sufficient        pam_krb5.so use_first_pass defer_pwchange minimum_uid=1000
auth     sufficient        pam_sss.so use_first_pass

auth     required          pam_deny.so
account  sufficient        pam_unix.so
account  sufficient        pam_krb5.so force_pwchange minimum_uid=1000
account  required          pam_sss.so

session  required          pam_unix.so

password requisite         pam_pwquality.so
password sufficient        pam_unix.so obscure use_first_pass use_authtok
password required          pam_krb5.so use_first_pass use_authtok force_pwchange minimum_uid=1000
```

But users are not locked out, as authentication failures are **not** locked:

```bash
root@primary:~# python3 -c 'import pam; print([pam.authenticate("demo_admin", "univention", "univention-management-console") for _ in range(6)])'
[True, True, True, True, True, True]

# using the service `univention-management-console` repeatedly with a wrong password does not lead to disabling the account
root@primary:~# python3 -c 'import pam; print([pam.authenticate("demo_admin", "wrongpassword", "univention-management-console") for _ in range(6)])'
[False, False, False, False, False, False]
root@primary:~# udm users/user list --filter uid=demo_admin --properties disabled
uid=demo_admin
DN: uid=demo_admin,cn=lehrer,cn=users,ou=DEMOSCHOOL,dc=school,dc=test
  disabled: 0


# using a service like login will lead to a disabled account
root@primary:~# python3 -c 'import pam; print([pam.authenticate("demo_admin", "wrongpassword", "login") for _ in range(6)])'
[False, False, False, False, False, False]
root@primary:~# udm users/user list --filter uid=demo_admin --properties disabled
uid=demo_admin
DN: uid=demo_admin,cn=lehrer,cn=users,ou=DEMOSCHOOL,dc=school,dc=test
  disabled: 1
```

The `faillock` command does not show any tracked failed login attempts.
Looks like the line `auth required pam_faillock.so authfail` is missing?


In 5.0-9 it works:

```
root@primary:~# python3 -c 'import pam; print([pam.authenticate("demo_admin", "wrongpassword", "univention-management-console") for _ in range(6)])'
[False, False, False, False, False, False]
root@primary:~# udm users/user list --filter uid=demo_admin --properties disabled
uid=demo_admin
DN: uid=demo_admin,cn=lehrer,cn=users,ou=DEMOSCHOOL,dc=school,dc=test
  disabled: 1
```
Comment 4 Marius Meschter univentionstaff 2025-08-01 10:52:46 CEST 
univention-management-console (14.2.1)
90a79ead34a0 | fix(umc): fix auth/faillock for UMC pam stack

ucs-test (12.2.35)
fb45faa466c2 | test: add test for auth/faillock UMC stack

`pam_faillock.so authfail` has been added to the `univention-management-console` PAM stack.

Tests have been added.
Comment 5 Jürn Brodersen univentionstaff 2025-08-06 10:51:49 CEST 
Faillock is triggered by umc logins ✔️

Count of faillock is reset if the account wasn't in a logged state already and the password was correct ✔️

global faillock ✔️

tests ✔️

changelog ✔️

docs ✔️

jenkins ✔️
Comment 6 Iván.Delgado univentionstaff 2025-08-06 14:39:17 CEST 
<https://errata.software-univention.de/#/?erratum=5.2x164>