Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
What were you trying to do that didn't work? Getting single password prompt for invalid user with the below sequence in /etc/pam.d/password-auth auth required pam_sss.so auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list Which can lead attacker to identify that its a invalid user. It works as expected with the below sequence: auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list auth required pam_sss.so Please provide the package NVR for which bug is seen: Behaviour is observed irrespective of the pam & sssd versions How reproducible: Invalid user is getting single prompt for password with the below sequence: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=4 success=ignore] pam_localuser.so auth required pam_faillock.so preauth deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent auth [success=1 default=bad] pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent auth sufficient pam_faillock.so authsucc deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 auth required pam_sss.so auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list auth sufficient pam_succeed_if.so uid >= 200 quiet auth required pam_deny.so - Invalid user prompts for 3 times with the below sequence as expected: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=4 success=ignore] pam_localuser.so auth required pam_faillock.so preauth deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent auth [success=1 default=bad] pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 silent auth sufficient pam_faillock.so authsucc deny=5 audit even_deny_root unlock_time=0 root_unlock_time=900 auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list auth required pam_sss.so auth sufficient pam_succeed_if.so uid >= 200 quiet auth required pam_deny.so Steps to reproduce Expected results Invalid user should give 3 time password prompt. As its giving 3 times password prompt in RHEL 7 for both the cases irrespective of sequence. NOTE: Its works as expected with the default RHEL 8 config irrespective of sequence. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/system-groups-ad.list auth sufficient pam_sss.so forward_pass auth required pam_deny.so
Won't Do