pam: Fix not querying password for invalid user

Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to password acceptance screen
for invalid user login attempt too. This commit configures
pam_tally2 to ignore unknown user and proceed to do password
check.

Tested:
Verified the same in bmc serial console login with invalid user
name and password was requested, before displaying login incorrect.

Note: dropbear handles this already and hence ssh will not exhibit
this behavior.

(From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435)

Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
index 7bebd9a6a..58ed74f19 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
@@ -8,7 +8,7 @@
 # traditional Unix authentication mechanisms.
 
 # here are the per-package modules (the "Primary" block)
-auth	[success=ok default=2]	pam_tally2.so deny=0 unlock_time=0
+auth	[success=ok user_unknown=ignore default=2]	pam_tally2.so deny=0 unlock_time=0
 # Try for local user first, and then try for ldap
 auth	[success=2 default=ignore]	pam_unix.so nullok_secure
 -auth    [success=1 default=ignore]  	pam_ldap.so ignore_unknown_user ignore_authinfo_unavail