|Applies To||ACE/Agent for PAM 5.3.4|
|Issue||PAM Agent Solaris 10 sshd always increments /etc/shadow auth failure field|
Unix account gets locked out when the auth failure field hits the specified maximum
auth failure field in /etc/shadow increments, regardless of securid authentication success or failure.
|Cause||Seems to be specific to Solaris 10 implementation of SSHD. The first method tested in the PAM chain is sshd-none, this is not handled by the standard pam.conf so it is handled by the "other" catch-all method in pam.conf. The default method updates the /etc/shadow record for the user with an incremented auth failure flag. This occurs before the pam chain processes sshd-kbdint, on which the securid module is triggered.|
Adding the following line to the pam.conf causes the sshd-none to be handled, which in turn stops the auth failure flag from incrementing.
sshd-none auth optional pam_deny.so.1
** This is a workaround only. The workaround appears to sole the problem but should be used with caution
Sun has published the following articles on their customer KB:
Bug ID: 5033461
|Legacy Article ID||a33048|