Find the answer to your Linux question:
Results 1 to 2 of 2
Hello... sorry if I am posting this in the wrong forum...since it deals with both Linux security and RHEL... First off...this is a customer requirement that I was able to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2010
    Posts
    6

    Preventing an account from being locked out...


    Hello... sorry if I am posting this in the wrong forum...since it deals with both Linux security and RHEL...

    First off...this is a customer requirement that I was able to fulfill in RHEL 4.x using the information from puschitz's Red Hat hardening guide...puschitz.com/SecuringLinux.shtml... (since I am new, I can't post a direct link) but this doesn't work for RHEL5 (below)...

    My question is how to prevent an account from being locked out once I have PAM set up to deny access after 'n' amount of unsuccessful attempts.

    Scenario: I block root login access and only have 2 accounts in wheel that can access via the console, ssh, etc (limited through access.conf, gdm, etc). In the event that both wheel accounts get locked out, I am basically hosed. (btw, this is a very strict environment, no booting with Knoppix, single user mode, etc.) I need to be able to set these wheel accounts from not tallying failed login attempts, like root prohibits it.

    In RHEL 4.x, I could just do the following:
    faillog -u <username> -m -1

    ...but now it seems that RHEL 5.x doesn't work the same way (maybe since pam_tally2 is in place?)

    Unfortunately, this is a requirement that I need to deliver. Anyhow, any help would be appreciative.

  2. #2
    Banned
    Join Date
    Feb 2010
    Posts
    31

    Not sure

    I use pam_abl for this not the build in pam_tally, so I am not sure if this applies, but in pam_abl you can set up exceptions to rules.
    Also have you looked into setting up root in sshd_config with a RSH key and PermitRootLogin without-password.
    This means you can not login with a username/passwd combo you can only log in via key exchange. Eliminates the brute force attack and gets around the tally problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •