PAM, pam_tally, and locking out users after 3 failed login attempts in RHEL5

frail.knight · 02-27-2008, 11:16 AM

I'm trying to lock users out after 3 failed login attempts.

No matter what suggestions/options I try the user is still able to login after 3 or more failed login attempts.

My /etc/pam.d/system-auth includes the following lines:

Quote:

auth required pam_tally.so onerr=fail no_magic_root

account required pam_tally.so deny=3 no_magic_root reset

We have also verified /var/log/faillog exists and is logging failed attempts as it lists users' failed attempts and the max which was set to 3 using:

Quote:

faillog -m 3

Is there anything I'm missing? I've been all over and looked at many examples showing the exact same config file lines. I've tried pam_tally, pam_tally2, and no difference there either. This is driving me insane!

Deleriux · 02-27-2008, 02:39 PM

I have never gotten pam_tally or pam_tally2 to properly work on my systems. I think its broke.

Deleriux · 02-27-2008, 03:03 PM

Well - I've had another bash (you got me inspired!)

I have got it working by doing

Code:

auth           required          pam_tally.so
account        required          pam_tally.so
#works without args

I then have used faillog to set limits instead of doing it in pam.

jhmathis · 03-03-2008, 10:33 AM

I have tried using:

auth required pam_tally.so
account required pam_tally.so

w/o the arguments and faillog and/or pam_tally still does not lock the user account when # of attempts are exceeded. I have also tried using "login" within pam.d and pam_tally doesn't even count the bad logins. There appears to be a definite bug within system-auth and pam_tally. If anyone has a definite work-around please post.

jhmathis · 03-04-2008, 12:09 PM

OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

P.S. You can monitor pam_tally activity via /var/log/secure "tail -f /var/log/secure"

-Jim

frail.knight · 03-05-2008, 07:56 AM

Quote:

Originally Posted by jhmathis

OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

P.S. You can monitor pam_tally activity via /var/log/secure "tail -f /var/log/secure"

-Jim

Thanks, finally have it working with these lines:

Quote:

auth required pam_tally.so onerr=fail deny=3
account required pam_tally.so reset

Not only were the no_magic_root options useless, but I had deny=3 in the account section rather than the auth section. Many people have posted incorrect example configs, and this my dear friends is why you can't always trust example config files people share on the net ;p

Thanks again!

dmak168 · 08-30-2008, 01:59 AM

Quote:

Originally Posted by frail.knight

Thanks, finally have it working with these lines:

Not only were the no_magic_root options useless, but I had deny=3 in the account section rather than the auth section. Many people have posted incorrect example configs, and this my dear friends is why you can't always trust example config files people share on the net ;p

Thanks again!

I was wondering what error message do you guys get whenever you failed to login in 3 consecutive attemps ? I have no problem with the "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" setting and after 3 consecutive login fail I did get locked out for 60 seconds ... but within that 60 seconds every single login attemp I got "Incorrect username or password ..." error message, so my question is "Is there any way to make the error more intuitive so that user know he or she have to wait for 60 seconds before next try ?"

Thanks,
David

filex · 09-03-2008, 10:46 AM

I think it's good to have proper error message about faillog. Anyone have any idea to show that error message?

dmak168 · 09-03-2008, 01:08 PM

I guess there is no way to do that with PAM based on a quote(below) from the book 'Linux System Security: The Administrator's Guide to Open Source Security Tools" p.83

"... In the case of failure, it is generally true that the error message displayed to the user will NOT be indicative of the cause of failure. This generic error message approach is a security feature since it limits information that could be used in compromise efforts."

David

Ladadadada · 09-15-2009, 09:20 AM

Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.

The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts.

GT3NE1 · 03-17-2011, 04:06 PM

Quote:

Originally Posted by Ladadadada

Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.

The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts.

Logged in just to say thank you!