Bug 46978 - UMC without Samba/AD doesn't enforce a bad password lockout policy
UMC without Samba/AD doesn't enforce a bad password lockout policy
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Jannik Ahlers
Arvid Requate
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-08 15:53 CEST by Arvid Requate
Modified: 2018-07-11 15:09 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.137
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018050721000094
Bug group (optional):
Max CVSS v3 score:


Attachments
patch_umc_pam_template_to_use_pam_tally.sh (1.28 KB, application/x-shellscript)
2018-05-08 15:56 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-05-08 15:53:35 CEST
Ticket #2018050721000094 reported a case where the customer had no Samba/AD installed but wanted to configure a bad password lockout policy. After configuring auth/faillog=yes auth/faillog/lock_global=yes and ppolicy the UMC still did not track bad logon attempts.
Comment 1 Arvid Requate univentionstaff 2018-05-08 15:56:56 CEST
Created attachment 9524 [details]
patch_umc_pam_template_to_use_pam_tally.sh

The attached patch may be useful to add the required pam_tally calls to a template subfile

/etc/univention/templates/files/etc/pam.d/univention-management-console.d/30_tally

and registers it by appending to

/etc/univention/templates/info/univention-management-console-server.info

After that, a ucr commit /etc/pam.d/univention-management-console should configure the UMC pam stack according to the setting of auth/faillog/.*

I guess we should implement something like this directly in the product.
Comment 2 Christian Völker univentionstaff 2018-05-11 11:45:41 CEST
Same issue appeared in the forum:

https://help.univention.com/t/ldap-account-lockout-not-working/8580
Comment 3 Arvid Requate univentionstaff 2018-05-14 15:25:57 CEST
Ok, I've added this to the UMC Board for prioritization.
Comment 4 Jannik Ahlers univentionstaff 2018-07-04 14:02:01 CEST
I put the changes arvids script makes into the univention-management-console package.

univention-management-console.yaml
b406136b06ff | Bug #46978: YAML

univention-management-console (10.0.6-6)
676e6048386d | Bug #46978: debian changelog

univention-management-console (10.0.6-5)
c84f144894f4 | Bug #46978: enable bad password lockout in umc

Successful build
Package: univention-management-console
Version: 10.0.6-6A~4.3.0.201807041352
Branch: ucs_4.3-0
Scope: errata4.3-1
Comment 5 Quality Assurance univentionstaff 2018-07-04 16:05:22 CEST
--- mirror/ftp/4.3/unmaintained/component/4.3-1-errata/source/univention-management-console_10.0.6-5A~4.3.0.201806151507.dsc
+++ apt/ucs_4.3-0-errata4.3-1/source/univention-management-console_10.0.6-6A~4.3.0.201807041352.dsc
@@ -1,6 +1,10 @@
-10.0.6-5A~4.3.0.201806151507 [Fri, 15 Jun 2018 15:07:24 +0200] Univention builddaemon <buildd@univention.de>:
+10.0.6-6A~4.3.0.201807041352 [Wed, 04 Jul 2018 13:52:19 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. No patches were applied to the original source package
+
+10.0.6-6 [Wed, 04 Jul 2018 13:27:42 +0200] Jannik Ahlers <ahlers@univention.de>:
+
+  * Bug #46978: enable bad password lockout policy in umc
 
 10.0.6-5 [Fri, 15 Jun 2018 14:39:48 +0200] Jürn Brodersen <brodersen@univention.de>:
 

<http://10.200.17.11/4.3-1/#1950166786911508728>
Comment 6 Arvid Requate univentionstaff 2018-07-09 18:54:14 CEST
Ok, works.
Comment 7 Arvid Requate univentionstaff 2018-07-11 15:09:05 CEST
<http://errata.software-univention.de/ucs/4.3/147.html>