Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Jan 2010
Preventing an account from being locked out...
First off...this is a customer requirement that I was able to fulfill in RHEL 4.x using the information from puschitz's Red Hat hardening guide...puschitz.com/SecuringLinux.shtml... (since I am new, I can't post a direct link) but this doesn't work for RHEL5 (below)...
My question is how to prevent an account from being locked out once I have PAM set up to deny access after 'n' amount of unsuccessful attempts.
Scenario: I block root login access and only have 2 accounts in wheel that can access via the console, ssh, etc (limited through access.conf, gdm, etc). In the event that both wheel accounts get locked out, I am basically hosed. (btw, this is a very strict environment, no booting with Knoppix, single user mode, etc.) I need to be able to set these wheel accounts from not tallying failed login attempts, like root prohibits it.
In RHEL 4.x, I could just do the following:
faillog -u <username> -m -1
...but now it seems that RHEL 5.x doesn't work the same way (maybe since pam_tally2 is in place?)
Unfortunately, this is a requirement that I need to deliver. Anyhow, any help would be appreciative.
- Join Date
- Feb 2010
I use pam_abl for this not the build in pam_tally, so I am not sure if this applies, but in pam_abl you can set up exceptions to rules.
Also have you looked into setting up root in sshd_config with a RSH key and PermitRootLogin without-password.
This means you can not login with a username/passwd combo you can only log in via key exchange. Eliminates the brute force attack and gets around the tally problem.