Find the answer to your Linux question:
Results 1 to 8 of 8
Hi I am facing another problem while configuring the system-auth file for setting user account locking after 3 fail attempts. But this configuration is not working means user are able ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2006
    Location
    INDIA, New Delhi
    Posts
    27

    User account locking not working in Pam


    Hi

    I am facing another problem while configuring the system-auth file for setting user account locking after 3 fail attempts. But this configuration is not working means user are able to login still after 3 fail logins. Below are the configuration parameter which I have edited:

    auth required pam_tally.so no_magic_root
    account required pam_tally.so deny=3 no_magic_root lock_time=180
    I have also tried this parameters which I got from http://www.puschitz.com/SecuringLinu...eckingAccounts but no success.


    auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
    account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset
    Please guide where is the issue. Any alternate to achieve the user account locking system.

    Thanks & Regards
    CJ

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    AFAIK args like "deny" and "lock_time" should be in the "auth" and not the "account" section? Also take care where in the PAM stack sections you place these pam_tally lines (like not above pam_unix). Also for testing purposes better not use /etc/pam.d/system-auth but a single service because if you get it wrong you might lock yourself out.

  3. #3
    Linux Guru Lakshmipathi's Avatar
    Join Date
    Sep 2006
    Location
    3rd rock from sun - Often seen near moon
    Posts
    1,758

    Post

    source : man pam_tally2.so
    Add the following line to /etc/pam.d/login to lock the account after 4 failed logins. Root account will be locked as well. The accounts will be automatically unlocked after 20 minutes. The module does not have to be called in the account phase because the login calls pam_setcred(3) correctly.

    auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
    I tested it. And you might be interested in pamtester - test pluggable authentication modules (PAM) facility

    HTH
    First they ignore you,Then they laugh at you,Then they fight with you,Then you win. - M.K.Gandhi
    -----
    FOSS India Award winning ext3fs Undelete tool www.giis.co.in. Online Linux Terminal http://www.webminal.org

  4. #4
    Just Joined!
    Join Date
    Nov 2006
    Location
    INDIA, New Delhi
    Posts
    27
    Thanks I will test and Let you know Lakshmipathi.

  5. #5
    Just Joined!
    Join Date
    Nov 2006
    Location
    INDIA, New Delhi
    Posts
    27

    Unhappy

    Quote Originally Posted by Lakshmipathi View Post
    source : man pam_tally2.so
    Add the following line to /etc/pam.d/login to lock the account after 4 failed logins. Root account will be locked as well. The accounts will be automatically unlocked after 20 minutes. The module does not have to be called in the account phase because the login calls pam_setcred(3) correctly.



    I tested it. And you might be interested in pamtester - test pluggable authentication modules (PAM) facility

    HTH
    Hi Lakshmi

    I followed your steps, Now it shows me error message wich is below in quote but still non-priveledge user was able to login and navigate the home folder that should not be happen. Please suggest.

    test@xx.yy.nn.aa's password:
    Your account is locked. Maximum amount of failed attempts was reached.
    Your account is locked. Maximum amount of failed attempts was reached.
    Your account is locked. Maximum amount of failed attempts was reached.
    Your account is locked. Maximum amount of failed attempts was reached.
    Last login: Tue Aug 3 11:36:35 2010 from xx.yy.zz.nn
    [test@psplrhev01 ~]$
    [test@psplrhev01 ~]$
    [test@psplrhev01 ~]$
    [test@psplrhev01 ~]$ ls
    [test@psplrhev01 ~]$ ls -la
    total 40
    drwx------ 3 test test 4096 Jul 24 16:07 .
    drwxr-xr-x 4 root root 4096 Jul 24 16:03 ..
    -rw------- 1 test test 135 Aug 3 11:29 .bash_history
    -rw-r--r-- 1 test test 33 Jul 24 16:03 .bash_logout
    -rw-r--r-- 1 test test 176 Jul 24 16:03 .bash_profile
    -rw-r--r-- 1 test test 124 Jul 24 16:03 .bashrc
    -rw-r--r-- 1 test test 515 Jul 24 16:03 .emacs
    drwxr-xr-x 4 test test 4096 Jul 24 16:03 .mozilla
    -rw-r--r-- 1 test test 658 Jul 24 16:03 .zshrc

  6. #6
    Linux Guru Lakshmipathi's Avatar
    Join Date
    Sep 2006
    Location
    3rd rock from sun - Often seen near moon
    Posts
    1,758
    The method i suggested works when you use normal login,not using ssh. I haven't tested ssh login.
    If you want to use pam for ssh then ,i think you need add these entries in sshd servcies.
    If you want to do this without pam,check man page of sshd_config it says something like "MaxAuthTries".

    EDIT -
    Account lock after failed login attempts
    HTH
    First they ignore you,Then they laugh at you,Then they fight with you,Then you win. - M.K.Gandhi
    -----
    FOSS India Award winning ext3fs Undelete tool www.giis.co.in. Online Linux Terminal http://www.webminal.org

  7. #7
    Just Joined!
    Join Date
    Nov 2006
    Location
    INDIA, New Delhi
    Posts
    27
    This also don't work in direct login..

  8. #8
    Just Joined!
    Join Date
    Nov 2006
    Location
    INDIA, New Delhi
    Posts
    27
    Appologies The link you have provided to me Lakshmi works for me my problem has been resolved thanks a ton for support..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •