How to activate FAIL_DELAY in /etc/login.defs

ukursat · 05-11-2007, 07:01 AM

Hi all,

My kernel is 2.2.17/ppc and I want to activate FAIL_DELAY in /etc/login.defs. However, when I edited /etc/login.defs for FAIL_DELAY with a value of 60, it did not work. Do I need to use pam_faildelay.so? "login" in my system is under /etc/pam.d.

Can one help me how to activate FAIL_DELAY?

Regards,
kursat

Matir · 05-12-2007, 12:33 AM

Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.

ukursat · 05-14-2007, 01:35 AM

Quote:

Originally Posted by Matir

Are you trying to delay local logins or SSH? SSH logins do not go through the 'login' process, so I believe login.defs is not involved.

Thanks for the reply,
I'm not that much familiar, but my concern is about all login attempts. So, you say login.defs does not apply for ssh. So, I think I need it for local login attempts.

Matir · 05-14-2007, 01:40 AM

Ok... local login would only be someone with physical access (or possibly telnet, but that's not used much)

ukursat · 05-14-2007, 02:33 AM

Quote:

Originally Posted by Matir

Ok... local login would only be someone with physical access (or possibly telnet, but that's not used much)

If local login is not much used, how can I delay ssh attempts for ssh? You told it's not using /etc/login.defs, right?

druuna · 05-14-2007, 03:40 AM

Hi,

It's an option that's found int your /etc/sshd_config file.

Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>

Take a look at man sshd_config for all the available options.

Hope this helps.

ukursat · 05-14-2007, 03:53 AM

Quote:

Originally Posted by druuna

Hi,

It's an option that's found int your /etc/sshd_config file.

Add (or adjust) the following option: AuthInteractiveFailureTimeout <number>

Take a look at man sshd_config for all the available options.

Hope this helps.

Thank you for the ssh option. However I tried it and had below errors while starting sshd.
/etc/init.d/sshd start
Starting sshd: /etc/ssh/sshd_config: line 94: Bad configuration option: AuthInteractiveFailureTimeout
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]
sshd: sshd startup failed

My ssh version:
ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f

Thank you. I will check man sshd for available option. Maybe my sshd is too old.

druuna · 05-14-2007, 04:35 AM

Hi,

My bad.....

AuthInteractiveFailureTimeout is not an option that openSSH supports (I'm working with too many *nix systems

).

I'm unable to find an option like the one I gave in openSSH. You could try a combination of ChallengeResponseAuthentication yes (the default) and the login-backoff option in the /etc/login.conf (man login.conf for details). I haven't tried this before.

Sorry for the misinformation.....

Matir · 05-14-2007, 09:27 AM

If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.

Code:

auth  optional  pam_faildelay.so

ukursat · 05-15-2007, 01:47 AM

Quote:

Originally Posted by Matir

If your SSHD is authenticating against PAM, then I would use pam_faildelay.so. This sleeps before returning to the parent process on authentication failure. If you do not specify a delay in the pam configuration, it will use the delay in login.defs.

Code:

auth  optional  pam_faildelay.so

Thank you for the comment. Yes, my sshd is pam controlled. I will try above line in /etc/pam.d/sshd. I did not see this module in my pam.rpm. This is a recent update I guess. Hope my GLIBC will allow to use it