LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-27-2008, 12:16 PM   #1
frail.knight
LQ Newbie
 
Registered: Feb 2008
Posts: 2

Rep: Reputation: 0
Exclamation PAM, pam_tally, and locking out users after 3 failed login attempts in RHEL5


I'm trying to lock users out after 3 failed login attempts.

No matter what suggestions/options I try the user is still able to login after 3 or more failed login attempts.

My /etc/pam.d/system-auth includes the following lines:

Quote:
auth required pam_tally.so onerr=fail no_magic_root

account required pam_tally.so deny=3 no_magic_root reset
We have also verified /var/log/faillog exists and is logging failed attempts as it lists users' failed attempts and the max which was set to 3 using:

Quote:
faillog -m 3
Is there anything I'm missing? I've been all over and looked at many examples showing the exact same config file lines. I've tried pam_tally, pam_tally2, and no difference there either. This is driving me insane!

Last edited by frail.knight; 02-27-2008 at 12:18 PM.
 
Old 02-27-2008, 03:39 PM   #2
Deleriux
Member
 
Registered: Nov 2003
Posts: 89

Rep: Reputation: 16
I have never gotten pam_tally or pam_tally2 to properly work on my systems. I think its broke.
 
Old 02-27-2008, 04:03 PM   #3
Deleriux
Member
 
Registered: Nov 2003
Posts: 89

Rep: Reputation: 16
Well - I've had another bash (you got me inspired!)

I have got it working by doing

Code:
auth           required          pam_tally.so
account        required          pam_tally.so
#works without args
I then have used faillog to set limits instead of doing it in pam.
 
Old 03-03-2008, 11:33 AM   #4
jhmathis
LQ Newbie
 
Registered: Oct 2007
Posts: 7

Rep: Reputation: 0
Angry pam_tally fails

I have tried using:

auth required pam_tally.so
account required pam_tally.so

w/o the arguments and faillog and/or pam_tally still does not lock the user account when # of attempts are exceeded. I have also tried using "login" within pam.d and pam_tally doesn't even count the bad logins. There appears to be a definite bug within system-auth and pam_tally. If anyone has a definite work-around please post.
 
Old 03-04-2008, 01:09 PM   #5
jhmathis
LQ Newbie
 
Registered: Oct 2007
Posts: 7

Rep: Reputation: 0
OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

P.S. You can monitor pam_tally activity via /var/log/secure "tail -f /var/log/secure"

-Jim
 
Old 03-05-2008, 08:56 AM   #6
frail.knight
LQ Newbie
 
Registered: Feb 2008
Posts: 2

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jhmathis View Post
OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

P.S. You can monitor pam_tally activity via /var/log/secure "tail -f /var/log/secure"

-Jim
Thanks, finally have it working with these lines:

Quote:
auth required pam_tally.so onerr=fail deny=3
account required pam_tally.so reset
Not only were the no_magic_root options useless, but I had deny=3 in the account section rather than the auth section. Many people have posted incorrect example configs, and this my dear friends is why you can't always trust example config files people share on the net ;p

Thanks again!
 
Old 08-30-2008, 02:59 AM   #7
dmak168
LQ Newbie
 
Registered: Aug 2008
Posts: 7

Rep: Reputation: 0
Quote:
Originally Posted by frail.knight View Post
Thanks, finally have it working with these lines:



Not only were the no_magic_root options useless, but I had deny=3 in the account section rather than the auth section. Many people have posted incorrect example configs, and this my dear friends is why you can't always trust example config files people share on the net ;p

Thanks again!
I was wondering what error message do you guys get whenever you failed to login in 3 consecutive attemps ? I have no problem with the "auth required pam_tally.so onerr=fail deny=3 unlock_time=60" setting and after 3 consecutive login fail I did get locked out for 60 seconds ... but within that 60 seconds every single login attemp I got "Incorrect username or password ..." error message, so my question is "Is there any way to make the error more intuitive so that user know he or she have to wait for 60 seconds before next try ?"


Thanks,
David

Last edited by dmak168; 08-30-2008 at 03:01 AM.
 
Old 09-03-2008, 11:46 AM   #8
filex
Member
 
Registered: Sep 2004
Posts: 56

Rep: Reputation: 15
I think it's good to have proper error message about faillog. Anyone have any idea to show that error message?
 
Old 09-03-2008, 02:08 PM   #9
dmak168
LQ Newbie
 
Registered: Aug 2008
Posts: 7

Rep: Reputation: 0
I guess there is no way to do that with PAM based on a quote(below) from the book 'Linux System Security: The Administrator's Guide to Open Source Security Tools" p.83

"... In the case of failure, it is generally true that the error message displayed to the user will NOT be indicative of the cause of failure. This generic error message approach is a security feature since it limits information that could be used in compromise efforts."


David
 
Old 09-15-2009, 10:20 AM   #10
Ladadadada
LQ Newbie
 
Registered: Mar 2009
Location: London
Distribution: Mac OS X, Solaris, Ubuntu, Debian, Redhat
Posts: 2

Rep: Reputation: 0
Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.

The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts.
 
Old 03-17-2011, 05:06 PM   #11
GT3NE1
LQ Newbie
 
Registered: Aug 2004
Posts: 24

Rep: Reputation: 15
Quote:
Originally Posted by Ladadadada View Post
Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.

The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts.
Logged in just to say thank you!
 
  


Reply

Tags
account, auth, deny, failed, lock, login, pam, required, users


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set delay between failed login attempts? handydan MEPIS 2 02-25-2007 12:08 AM
Question about failed ssh login attempts natv Linux - Security 3 02-11-2007 07:46 AM
Constant failed login attempts... seanferd Linux - Security 8 11-09-2006 09:42 AM
Timeout between failed login attempts wuicci Linux - Security 3 06-01-2006 05:40 AM
Failed SSH login attempts Capt_Caveman Linux - Security 38 01-03-2006 04:22 PM


All times are GMT -5. The time now is 12:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration