Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My kernel is 2.2.17/ppc and I want to activate FAIL_DELAY in /etc/login.defs. However, when I edited /etc/login.defs for FAIL_DELAY with a value of 60, it did not work. Do I need to use pam_faildelay.so? "login" in my system is under /etc/pam.d.
Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.
Thanks for the reply,
I'm not that much familiar, but my concern is about all login attempts. So, you say login.defs does not apply for ssh. So, I think I need it for local login attempts.
It's an option that's found int your /etc/sshd_config file.
Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>
Take a look at man sshd_config for all the available options.
Hope this helps.
Thank you for the ssh option. However I tried it and had below errors while starting sshd.
/etc/init.d/sshd start
Starting sshd: /etc/ssh/sshd_config: line 94: Bad configuration option: AuthInteractiveFailureTimeout
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
sshd: sshd startup failed
AuthInteractiveFailureTimeout is not an option that openSSH supports (I'm working with too many *nix systems ).
I'm unable to find an option like the one I gave in openSSH. You could try a combination of ChallengeResponseAuthentication yes (the default) and the login-backoff option in the /etc/login.conf (man login.conf for details). I haven't tried this before.
If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.
If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.
Code:
auth optional pam_faildelay.so
Thank you for the comment. Yes, my sshd is pam controlled. I will try above line in /etc/pam.d/sshd. I did not see this module in my pam.rpm. This is a recent update I guess. Hope my GLIBC will allow to use it
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.