I have a RH9 system (also tried with RH7.3) with which I am trying to get a login lock working so that more than 3 tries creates a lock-out on any user that tries a brute force attack.

I read up and found pam_tally was probably the way to go, also that system-auth would be the best place to implement the required 'command' to perform the task.

My system-auth looked like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

=============================================
I added a line following the last account statement - so it looks as follows:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

============================================
No joy - the pam_tally module definitely exists, as does pam_tally (executable) - but it has no effect.

In the messages file I get this:

Jun 10 12:03:10 miloc0403 sshd(pam_unix)[1742]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.2.254 user=testuser
Jun 10 12:03:41 miloc0403 sshd(pam_unix)[1742]: 7 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.2.254 user=testuser
Jun 10 12:03:41 miloc0403 sshd(pam_unix)[1742]: service(sshd) ignoring max retries; 8 > 3

It *looks* like something is intercepting the login before the pam_tally and rejecting, so my 'command' never actually get's hit - or is overridden?

Anyone *please* any tips on this - I feel like I'm about to kernel panic.

Thanks in Advance

What does $ISA expand to? I haven't got it down like this, just a /lib/security/<pam_lib> path. Also, I'm using "tally" not in system-auth, but in login, as that's the service you need it for AFAIK. I also got onerr=succeed to not block any. If you want to get verbose PAM messaging to aid your troubeshooting efforts, almost all modules take the "debug" arg.

Btw, you try to login over ssh as *root*? Whatever your reason for it I would suggest not doing that but use a proper mechanism like sudo.

Thanks for the reply.

$ISA is set by *authconfig* as far as I can tell - I just mirrored the syntax after trying it without (no difference).

[BTW I am trying to ssh in as testuser not root - ssh to root is not permitted on *any* systems I use ]

The reason I chose the system-auth is because I read (somewhere over the last 24 hours) that login calls system-auth, as do many of the other PAM modules - and if this works, it takes care of them as well!?!?!

My login module (see below) does call system-auth, but perhaps you are right and it is somehow in the wrong order (or some such). I will give login a try.

#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so