Even after using Linux for years, you would always learn something new everyday. In this short article, I would talk about how SSH public key authentication could bypass security policy.
Let's start with pluggable authentication module (PAM). By using Linux PAM, the system could use modules to enhance the security of a system. For example, PAM could setup security policy that a password has to meet certain length and complexity. Another use case of the PAM module is to prevent an account to login if somebody attempts to login the account by brute force attack. For Red Hat Enterprise Linux systems, you could use the pam_faillock module.
The pam_faillock module could configure a system to prevent login after a certain amount of failed login attempts. I had used it for years ago. But I did not realize that pam_faillock could be bypass if the account had configured SSH public key authentication. After an account is blocked by pam_faillock, someone could still use the public key authentication to login that account. Besides that, the faillock counter would be cleared!
This behavior is described in Red Hat Bugzilla #1583146. and Red Hat Bugzilla #1886659. However the behavior is worked as expected. pam_faillock is meant to protect from brute force attacks. It does not mean to protect from configured SSH public key authentication.
So, if you found you had an imminent need of locking out an account for this case. You could use "chage -E0 account-name" to temporary lock out that account.
That was the case for local account. How about an account in Red Hat IdM? After testing, I found the lockout policy is designed for keyboard or password authentication. If the account had configured SSH public key authentication, the lockout policy would be bypassed, but it would not reset the failed login attempts in the IdM. I think one possible way to lockout that account could be using "ipa user-disable account-name".
So, we know SSH public key authentication is very powerful now. Stay safe and till next time.