PAM Login Failures

geekslinux · 07-31-2014, 07:01 AM

Hi,

I have configured account lockout policy for users who type their password wrongly for 3 times get locked.
However to my horror, if the password is typed correctly pam_tally2 -u <user> increments even if the password is typed correctly.
After 4 logins all the the users got locked. COuld anybody help me in fixing this.

/etc/pam.d/sshd

#%PAM-1.0

auth required pam_tally2.so onerr=fail deny=3 no_magic_root
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

/etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=3 unlock_time=3600 no_magic_root
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so no_magic_root
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

/etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

Linux_Kidd · 07-31-2014, 03:23 PM

which PAM, which distro ??

geekslinux · 08-01-2014, 02:56 AM

Hi,

Distro is centos 6.4 and pam is pam-1.1.1-13.el6. Thanks in advance.

Linux_Kidd · 08-01-2014, 02:30 PM

i had done some extensive PAM stuff (rhel5) in the past using different PAM mod. the mod you are using may be faulty, so try a switch.

this should give you an idea of what you need to do via scripting or vi, etc.

Code:

set strong password creation policy using pam_passwdqc

"# ed /etc/pam.d/system-auth << END
/password.*requisite.*pam_cracklib.so/
d 
a
password  required  pam_passwdqc.so min=disabled,disabled,16,12,8 random=0 passphrase=0 retry=3 similar=deny enforce=everyone ask_oldauthtok
.
w
q
END"


*****************
set lockout for failed password attempts

"sed -i ""5i\auth\trequired\pam_tally2.so onerr=fail deny=5 audit"" 
/etc/pam.d/system-auth"

******************
use pam_deny.so to deny services

"Edit PAM aware services as shown below. For example the sshd service would be 
modified as shown below.

ed /etc/pam.d/sshd << END
0a
auth  requisite   pam_deny.so
.
w
q 
END

Note: Perform this action for every service that provides authentication and supports PAM."


*******************
upgrade password hashing algorithm to SHA-512

"Perform the following to configure the system as recommended:

authconfig --passalgo=sha512

Note: If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all userID’s be immediately expired and forced to change their passwords on next login. To accomplish that, the following commands can be used.
Any system accounts that need to be expired should be carefully done separately by the system administrator to prevent any potential problems.

cat /etc/passwd | awk -F: ‘ ( $3 >=500 && $1 != ""nfsnobody ) { print $1 } | xargs -n 1 chage -d 0"

**********************
limit password reuse

"ed /etc/pam.d/system_auth << END
/password.*pam_unix.so/
s/$/remember=12/
w
q 
END

Note: The default password setting in this document is the last 5 passwords. Change this number to conform to your site’s password policy."