PAM, pam_tally, and locking out users after 3 failed login attempts in RHEL5
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have also verified /var/log/faillog exists and is logging failed attempts as it lists users' failed attempts and the max which was set to 3 using:
Quote:
faillog -m 3
Is there anything I'm missing? I've been all over and looked at many examples showing the exact same config file lines. I've tried pam_tally, pam_tally2, and no difference there either. This is driving me insane!
Last edited by frail.knight; 02-27-2008 at 11:18 AM.
w/o the arguments and faillog and/or pam_tally still does not lock the user account when # of attempts are exceeded. I have also tried using "login" within pam.d and pam_tally doesn't even count the bad logins. There appears to be a definite bug within system-auth and pam_tally. If anyone has a definite work-around please post.
OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Not only were the no_magic_root options useless, but I had deny=3 in the account section rather than the auth section. Many people have posted incorrect example configs, and this my dear friends is why you can't always trust example config files people share on the net ;p
Not only were the no_magic_root options useless, but I had deny=3 in the account section rather than the auth section. Many people have posted incorrect example configs, and this my dear friends is why you can't always trust example config files people share on the net ;p
Thanks again!
I was wondering what error message do you guys get whenever you failed to login in 3 consecutive attemps ? I have no problem with the "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" setting and after 3 consecutive login fail I did get locked out for 60 seconds ... but within that 60 seconds every single login attemp I got "Incorrect username or password ..." error message, so my question is "Is there any way to make the error more intuitive so that user know he or she have to wait for 60 seconds before next try ?"
I guess there is no way to do that with PAM based on a quote(below) from the book 'Linux System Security: The Administrator's Guide to Open Source Security Tools" p.83
"... In the case of failure, it is generally true that the error message displayed to the user will NOT be indicative of the cause of failure. This generic error message approach is a security feature since it limits information that could be used in compromise efforts."
Distribution: Mac OS X, Solaris, Ubuntu, Debian, Redhat
Posts: 2
Rep:
Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.
The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts.
Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.
The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.