We have a gRPC based client and server. And we use gRPC call authentication. That is, we use the (username, password) with each gRPC call from the client to the server. We have an RPC that gets called every minute.
The problem is this:
On the server:
/etc/pam.d$ grep unlock *
login:auth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=300
sshd:auth required pam_tally2.so file=/var/log/tallylog deny=3 unlock_time=300
If someone logs into the server manually using (username, <wrong_password>) 3 times, the user gets locked. At this point the gRPC call starts failing as UNAUTHENTICATED. After this, the gRPC calls which use the right (username, password) also gets counted by pam_tally2.so, resulting in the user never getting unlocked.
The only way out is to do:
pam_tally2 -r
This is a very simple way to create a DOS attack for the gRPC service.
- Is there anyway to make pam_tally not account for valid login attempts when the user is locked.
- Is there a way to still protect the gRPC service while still using call level credentials?
Thanks for your time.
I think gRPC doesn't have a built-in authentication module using pam so it's more likely a custom-made plugin. My guess is that you may need to take a look at the pam configuration about its lock; https://man7.org/linux/man-pages/man8/pam_tally2.8.html