LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-11-2007, 07:01 AM   #1
ukursat
LQ Newbie
 
Registered: Apr 2007
Posts: 11

Rep: Reputation: 0
How to activate FAIL_DELAY in /etc/login.defs


Hi all,

My kernel is 2.2.17/ppc and I want to activate FAIL_DELAY in /etc/login.defs. However, when I edited /etc/login.defs for FAIL_DELAY with a value of 60, it did not work. Do I need to use pam_faildelay.so? "login" in my system is under /etc/pam.d.

Can one help me how to activate FAIL_DELAY?

Regards,
kursat
 
Old 05-12-2007, 12:33 AM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.
 
Old 05-14-2007, 01:35 AM   #3
ukursat
LQ Newbie
 
Registered: Apr 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Matir
Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.
Thanks for the reply,
I'm not that much familiar, but my concern is about all login attempts. So, you say login.defs does not apply for ssh. So, I think I need it for local login attempts.
 
Old 05-14-2007, 01:40 AM   #4
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Ok... local login would only be someone with physical access (or possibly telnet, but that's not used much)
 
Old 05-14-2007, 02:33 AM   #5
ukursat
LQ Newbie
 
Registered: Apr 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Matir
Ok... local login would only be someone with physical access (or possibly telnet, but that's not used much)
If local login is not much used, how can I delay ssh attempts for ssh? You told it's not using /etc/login.defs, right?
 
Old 05-14-2007, 03:40 AM   #6
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,

It's an option that's found int your /etc/sshd_config file.

Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>

Take a look at man sshd_config for all the available options.

Hope this helps.
 
Old 05-14-2007, 03:53 AM   #7
ukursat
LQ Newbie
 
Registered: Apr 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by druuna
Hi,

It's an option that's found int your /etc/sshd_config file.

Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>

Take a look at man sshd_config for all the available options.

Hope this helps.

Thank you for the ssh option. However I tried it and had below errors while starting sshd.
/etc/init.d/sshd start
Starting sshd: /etc/ssh/sshd_config: line 94: Bad configuration option: AuthInteractiveFailureTimeout
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
sshd: sshd startup failed

My ssh version:
ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f


Thank you. I will check man sshd for available option. Maybe my sshd is too old.
 
Old 05-14-2007, 04:35 AM   #8
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,

My bad.....

AuthInteractiveFailureTimeout is not an option that openSSH supports (I'm working with too many *nix systems ).

I'm unable to find an option like the one I gave in openSSH. You could try a combination of ChallengeResponseAuthentication yes (the default) and the login-backoff option in the /etc/login.conf (man login.conf for details). I haven't tried this before.

Sorry for the misinformation.....
 
Old 05-14-2007, 09:27 AM   #9
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.
Code:
auth  optional  pam_faildelay.so
 
Old 05-15-2007, 01:47 AM   #10
ukursat
LQ Newbie
 
Registered: Apr 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Matir
If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.
Code:
auth  optional  pam_faildelay.so
Thank you for the comment. Yes, my sshd is pam controlled. I will try above line in /etc/pam.d/sshd. I did not see this module in my pam.rpm. This is a recent update I guess. Hope my GLIBC will allow to use it
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unknown item 'FAIL_DELAY' etc. after login or su kulmis Debian 7 06-29-2007 03:39 AM
login.defs password expiry noir911 Linux - General 1 01-07-2007 11:38 AM
/etc/login.defs binary_0011 Linux - Newbie 1 11-06-2006 08:44 PM
/etc/ Login.defs will not save my settings??? wardialer Linux - Security 2 03-09-2005 08:37 AM
Startup script=/etc/login.defs? ~zoey~ Linux - Newbie 2 11-12-2004 11:44 PM


All times are GMT -5. The time now is 12:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration