PAM Authentication failure for root during pexpect python

Question

the below observation is not always the case, but after some time accessing the SUT several times with ssh with root user and correct password the python code gets into trouble with:

Apr 25 05:51:56 SUT sshd[31570]: pam_tally2(sshd:auth): user root (0) tally 83, deny 10
Apr 25 05:52:16 SUT sshd[31598]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.13  user=root
Apr 25 05:52:21 SUT sshd[31568]: error: PAM: Authentication failure for root from 10.10.10.13
Apr 25 05:52:21 SUT sshd[31568]: Connection closed by 10.10.10.13 [preauth]

This is the below python code:

COMMAND_PROMPT = '.*:~ #'
SSH_NEWKEY = '(?i)are you sure you want to continue connecting'

def scp(source, dest, password):
    cmd = 'scp ' + source + ' ' + dest
    try:
        child = pexpect.spawn('/bin/bash', ['-c', cmd], timeout=None)
        res = child.expect([pexpect.TIMEOUT, SSH_NEWKEY, COMMAND_PROMPT, '(?i)Password'])
        if res == 0:
            print('TIMEOUT Occurred.')
        if res == 1:
            child.sendline('yes')
            child.expect('(?i)Password')
            child.sendline(password)
            child.expect([pexpect.EOF], timeout=60)
        if res == 2:
            pass
        if res == 3:
            child.sendline(password)
            child.expect([pexpect.EOF], timeout=60)
    except:
        print('File not copied!!!')
        self.logger.error(str(self.child))

When the ssh is unsuccessful, this is the pexpect printout:

version: 2.3 ($Revision: 399 $)
command: /usr/bin/ssh
args: ['/usr/bin/ssh', 'root@100.100.100.100']
searcher: searcher_re:
    0: re.compile(".*:~ #")
buffer (last 100 chars): :
Account locked due to 757 failed logins

Password:
before (last 100 chars): :
Account locked due to 757 failed logins

Password:
after: <class 'pexpect.TIMEOUT'>
match: None
match_index: None
exitstatus: None
flag_eof: False
pid: 2284
child_fd: 5
closed: False
timeout: 30
delimiter: <class 'pexpect.EOF'>
logfile: None
logfile_read: None
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0
delayafterclose: 0.1
delayafterterminate: 0.1

Any clue maybe what could it be, is it maybe anything missing or wrong configured for pam authentication on my SUT? The problem is that when the SUT starts with this pam failures then python code will always have the problem and only a reboot of the SUT seems to help :(

Manually accessing the SUT via ssh root@... is always working, even if pexpect can't!!! The account seems not to be locked according to:

SUT:~ # passwd -S root
root P 04/24/2017 -1 -1 -1 -1

I have looked into some other questions but no real solution is mentioned or could work with my python code.

Thanks in adv.

Answer 1

My work around is to modify for testing purpose the pam_tally configuration files. It seems that the SUT acknowledge the multiple access as a threat and locks even the root account!

By removing this entry even_deny_root root_unlock_time=5 in the several pam_tally configuration files:

/etc/pam.d/common-account:account    required        pam_tally2.so     deny=10 onerr=fail unlock_time=600 even_deny_root root_unlock_time=5 file=/home/test/faillog
/etc/pam.d/common-auth:auth          required        pam_tally2.so     deny=10 onerr=fail unlock_time=600 even_deny_root root_unlock_time=5 file=/home/test/faillog

Those changes will be activated dynamically no restart of service needed!

Note: after reboot those entries will be most likely back!