account lock after 3 unsuccessful attempts not happening
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
account lock after 3 unsuccessful attempts not happening
Hello
I am trying to set up account lock after 3 failed attempts of login but not getting a positive output
I followed this page as well but still no luck http://www.linuxquestions.org/questi...-rhel5-624257/
OS :RHEL 5.2
Code:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally.so onerr=fail deny=3 unlock_time=60
account required pam_tally.so reset
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
I am trying to login on putty and still it goes for 7 attempts before the session gives an error "too many authentication failures for root"
do I need to restart some service or restart the machine to take place changes?
# tail -f /var/log/secure
Feb 16 12:50:01 server crond[9595]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9622]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:00:01 server crond[9623]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option deny=3 allowed in auth phase only
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): unknown option: no_magic_root
Feb 16 13:01:01 server crond[9639]: pam_tally(crond:account): option lock_time=180 allowed in auth phase only
It seems my OS is unable to recognise the option "no_magic_root"
Does it works for RHEL?
#cat /var/log/secure
Feb 17 17:20:01 server crond[3111]: pam_unix(crond:session): session closed for user root
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:30:01 server crond[3129]: pam_unix(crond:session): session closed for user root
Feb 17 17:31:23 server sshd[3133]: Failed password for root from 10.10.10.30 port 51509 ssh2
Feb 17 17:31:25 server last message repeated 5 times
Feb 17 17:31:25 server sshd[3134]: Disconnecting: Too many authentication failures for root
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session opened for user root by (uid=0)
Feb 17 17:40:01 server crond[3149]: pam_unix(crond:session): session closed for user root
Feb 17 17:47:08 server sshd[3161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30 user=root
Feb 17 17:47:11 server sshd[3161]: Failed password for root from 10.10.10.30 port 51642 ssh2
Feb 17 17:47:20 server last message repeated 3 times
Feb 17 17:47:22 server sshd[3162]: Connection closed by 10.10.10.30
Feb 17 17:47:22 server sshd[3161]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30 user=root
Feb 17 17:47:22 server sshd[3161]: PAM service(sshd) ignoring max retries; 4 > 3
Feb 17 17:47:27 server gdm[3056]: pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 17 17:47:42 server last message repeated 3 times
Feb 17 17:47:56 server sshd[3165]: Accepted password for root from 10.10.10.30 port 51644 ssh2
Feb 17 17:47:56 server sshd[3165]: pam_unix(sshd:session): session opened for user root by (uid=0)
If you are only checking by ssh, it may be that (assumption ->) OpenSSH is not configured to use pam. (The default UsePAM value is set to `no'[1]) You can validate using grep like so:
Code:
$ grep UsePAM /etc/ssh/sshd_config # The location of sshd_config may differ on your machine.
UsePAM yes
$
If OpenSSH is not configured to use pam then the pam_tally module will never be triggered.
update your sshd_config file if needed, and restart sshd.
[1] man 5 sshd_config # search for UsePAM
Last edited by zer0python; 02-17-2012 at 05:28 PM.
Now I was trying the same on my centos6 machine and the logs are quite surprising
Code:
#cat /var log/secure
Feb 27 11:39:54 server sshd[3677]: Failed password for root from 10.10.10.30 port 57619 ssh2
Feb 27 11:44:53 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:54 server sshd[3704]: Failed password for root from 10.10.10.30 port 57744 ssh2
Feb 27 11:44:57 server sshd[3705]: Connection closed by 10.10.10.30
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:54 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:55 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:45:56 server sshd[3711]: Disconnecting: Too many authentication failures for root
Feb 27 11:45:56 server sshd[3710]: Failed password for root from 10.10.10.30 port 57752 ssh2
Feb 27 11:47:52 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:53 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3717]: Failed password for root from 10.10.10.30 port 57756 ssh2
Feb 27 11:47:54 server sshd[3718]: Disconnecting: Too many authentication failures for root
Feb 27 11:48:11 server pam: gdm-password[2029]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:48:18 server pam: gdm-password[3722]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:48:23 server pam: gdm-password[3723]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:48:30 server pam: gdm-password[3724]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:48:35 server pam: gdm-password[3725]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:48:39 server pam: gdm-password[3727]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:48:45 server pam: gdm-password[3728]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:28 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:50:29 server sshd[3738]: Disconnecting: Too many authentication failures for root
Feb 27 11:50:29 server sshd[3737]: Failed password for root from 10.10.10.30 port 57761 ssh2
Feb 27 11:51:36 server sshd[3745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.30 user=root
Feb 27 11:51:38 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:39 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3745]: Failed password for root from 10.10.10.30 port 57764 ssh2
Feb 27 11:51:40 server sshd[3746]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:57 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
Feb 27 11:51:58 server sshd[3751]: Disconnecting: Too many authentication failures for root
Feb 27 11:51:58 server sshd[3750]: Failed password for root from 10.10.10.30 port 57765 ssh2
why is it every time changing the port no. I have not changed the default ssh port no. so it should be using 22 but here I see something different?
Me too. I'm working on a Centos 6.2 system and trying to achieve the same goal. I added one line per the man page for pam_tally2 and now my /etc/pam.d/sshd file looks like this:
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_tally2.so deny=3 unlock_time=100
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
To test, I connected to the machine with ssh and typed my password wrong 3 times, then connected a second time and typed it wrong another 3 times. I see that the /var/log/tallylog file was created (was not being updated before I added the line), and output from running the pam_tally2 program shows the 6 failures. So that module is definitely being called. But the pam_tally2.so module is NOT preventing me from trying repeatedly.
I checked the sshd configuration /etc/ssh/sshd_config and it has "UsePAM yes" as well as "UsePAM yes".
Can't make it work and can't find forum posts that make it work in Centos 6.2, further suggestions are very welcome, thanks in advance.
I think it's actually working fine, it just didn't match my expectations.
After I edit the file as described above, I checked and I see that the /var/log/tallylog file is being updated. Running the program pam_tally2 program shows the contents of that log.
The problem was all in my head . I thought that pam_tally2.so would somehow prevent the user from repeatedly trying to log in via ssh. It does not prevent *attempts*. However it *does* block successful login after a series of failed login attempts. In other words, the ssh user types the proper account user name and password, but the credentials are rejected when too many attempts have been made. Confusingly, no message or other indication is shown to the user coming in via an SSH client. I think that this is a miss, but the PAM design doesn't seem to allow for it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.