User account locking not working in Pam

[cj_cheema]

Hi

I am facing another problem while configuring the system-auth file for setting user account locking after 3 fail attempts. But this configuration is not working means user are able to login still after 3 fail logins. Below are the configuration parameter which I have edited:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

I have also tried this parameters which I got from http://www.puschitz.com/SecuringLinu...eckingAccounts but no success.

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

Please guide where is the issue. Any alternate to achieve the user account locking system.

Thanks & Regards
CJ

[unspawn]

AFAIK args like "deny" and "lock_time" should be in the "auth" and not the "account" section? Also take care where in the PAM stack sections you place these pam_tally lines (like not above pam_unix). Also for testing purposes better not use /etc/pam.d/system-auth but a single service because if you get it wrong you might lock yourself out.

[Lakshmipathi]

source : man pam_tally2.so
Add the following line to /etc/pam.d/login to lock the account after 4 failed logins. Root account will be locked as well. The accounts will be automatically unlocked after 20 minutes. The module does not have to be called in the account phase because the login calls pam_setcred(3) correctly.

auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200

I tested it. And you might be interested in pamtester - test pluggable authentication modules (PAM) facility

HTH

[cj_cheema]

Thanks I will test and Let you know Lakshmipathi.

[cj_cheema]

source : man pam_tally2.so
Add the following line to /etc/pam.d/login to lock the account after 4 failed logins. Root account will be locked as well. The accounts will be automatically unlocked after 20 minutes. The module does not have to be called in the account phase because the login calls pam_setcred(3) correctly.



I tested it. And you might be interested in pamtester - test pluggable authentication modules (PAM) facility

HTH

Hi Lakshmi

I followed your steps, Now it shows me error message wich is below in quote but still non-priveledge user was able to login and navigate the home folder that should not be happen. Please suggest.

test@xx.yy.nn.aa's password:
Your account is locked. Maximum amount of failed attempts was reached.
Your account is locked. Maximum amount of failed attempts was reached.
Your account is locked. Maximum amount of failed attempts was reached.
Your account is locked. Maximum amount of failed attempts was reached.
Last login: Tue Aug 3 11:36:35 2010 from xx.yy.zz.nn
[test@psplrhev01 ~]$
[test@psplrhev01 ~]$
[test@psplrhev01 ~]$
[test@psplrhev01 ~]$ ls
[test@psplrhev01 ~]$ ls -la
total 40
drwx------ 3 test test 4096 Jul 24 16:07 .
drwxr-xr-x 4 root root 4096 Jul 24 16:03 ..
-rw------- 1 test test 135 Aug 3 11:29 .bash_history
-rw-r--r-- 1 test test 33 Jul 24 16:03 .bash_logout
-rw-r--r-- 1 test test 176 Jul 24 16:03 .bash_profile
-rw-r--r-- 1 test test 124 Jul 24 16:03 .bashrc
-rw-r--r-- 1 test test 515 Jul 24 16:03 .emacs
drwxr-xr-x 4 test test 4096 Jul 24 16:03 .mozilla
-rw-r--r-- 1 test test 658 Jul 24 16:03 .zshrc

[Lakshmipathi]

The method i suggested works when you use normal login,not using ssh. I haven't tested ssh login.
If you want to use pam for ssh then ,i think you need add these entries in sshd servcies.
If you want to do this without pam,check man page of sshd_config it says something like "MaxAuthTries".

EDIT -
Account lock after failed login attempts
HTH

[cj_cheema]

This also don't work in direct login..

[cj_cheema]

Appologies The link you have provided to me Lakshmi works for me my problem has been resolved thanks a ton for support..