Display unsuccessful login attempts via pam_lastlog module not working in CentOS5.6

BhushanPathak · 11-08-2013, 04:17 AM

Hello,

I am trying to setup PAM on CentOS 5.6 to accomplish the following -
- help enforce password strength
- control account locking
- print out to SSH users how many unsuccessful logins they have had since their last login

Following is my /etc/pam.d/cs-auth file that I modified to achieve the above -

Code:

#%PAM-1.0
auth required pam_env.so
auth required pam_tally2.so deny=5 onerr=fail unlock_time=900
auth sufficient pam_unix.so  try_first_pass
auth required pam_deny.so

account required pam_access.so
account required pam_tally2.so

password required pam_cracklib.so retry=3 minlen=5 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password sufficient pam_unix.so use_authtok md5 remember=4
password required pam_deny.so

session optional pam_lastlog.so showfailed nowtmp
session required pam_limits.so

The account locking after 5 attempts, unlocking after 900 seconds works fine. The issue I am facing is number of unsuccessful login attempts is not working.

Am I missing some piece of configuration? I don't have a choice of installing any additional software for this, have to make it work with PAM.

Thanks
Bhushan

kbp · 11-10-2013, 04:40 PM

Maybe try:

Code:

session required pam_lastlog.so noupdate showfailed

BhushanPathak · 11-11-2013, 02:49 AM

Unfortunately, that did not work either. Any other ideas folks?

kbp · 11-11-2013, 02:55 AM

Hang on, what logins is /etc/pam.d/cs-auth supposed to apply to?

BhushanPathak · 11-11-2013, 06:24 AM

The cs-auth file comes from a custom PAM implementation for challenge-response based authentication for remote SSH access.

kbp · 11-11-2013, 03:40 PM

Could you try moving the pam_lastlog line out of cs-auth and into /etc/pam.d/login ?

BhushanPathak · 11-12-2013, 03:27 AM

I removed the line from cs-auth & added it /etc/pam.d/login, but it did not solve the issue. Infact, it used to print last successful login date/time & IP address earlier. Now it does not even print that.

I tried enabling pam debug by following the link -
http://publib.boulder.ibm.com/infoce...ling_debug.htm

That started printing some logs, but no debug logs from PAM, only sshd debug logs.

Thanks
Bhushan

BhushanPathak · 11-14-2013, 05:05 AM

If I am to uninstall the custom PAM module, where would I put in the configuration changes for the requirement described above?