Preventing an account from being locked out...

[dagummit]

Hello... sorry if I am posting this in the wrong forum...since it deals with both Linux security and RHEL...

First off...this is a customer requirement that I was able to fulfill in RHEL 4.x using the information from puschitz's Red Hat hardening guide...puschitz.com/SecuringLinux.shtml... (since I am new, I can't post a direct link) but this doesn't work for RHEL5 (below)...

My question is how to prevent an account from being locked out once I have PAM set up to deny access after 'n' amount of unsuccessful attempts.

Scenario: I block root login access and only have 2 accounts in wheel that can access via the console, ssh, etc (limited through access.conf, gdm, etc). In the event that both wheel accounts get locked out, I am basically hosed. (btw, this is a very strict environment, no booting with Knoppix, single user mode, etc.) I need to be able to set these wheel accounts from not tallying failed login attempts, like root prohibits it.

In RHEL 4.x, I could just do the following:
faillog -u <username> -m -1

...but now it seems that RHEL 5.x doesn't work the same way (maybe since pam_tally2 is in place?)

Unfortunately, this is a requirement that I need to deliver. Anyhow, any help would be appreciative.

[ccolumbu]

I use pam_abl for this not the build in pam_tally, so I am not sure if this applies, but in pam_abl you can set up exceptions to rules.
Also have you looked into setting up root in sshd_config with a RSH key and PermitRootLogin without-password.
This means you can not login with a username/passwd combo you can only log in via key exchange. Eliminates the brute force attack and gets around the tally problem.