[SOLVED] exclude certain users from pam_tally2

pantdk · 11-07-2013, 08:37 PM

Hi All,

i am in the middle of the testing & try to fix the issue.
i have rhel6.4 i am trying to exclude certain users from pam_tally2
like jboos420 this is a service account so that type of user haven't lock.below are my config please suggest.

as per the below log the user lock after 5 fail attempt i want that user "test" is exempted from that setting

[root@test1 ~]# cat /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth [success=1 default=ignore] pam_succeed_if.so user in test
auth required pam_tally2.so deny=5 no_magic_root onerr=fail unlock_time=36000 audit
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
~
~
~
~
~

[root@test1 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_tally2.so deny=5
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_tally2.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@test1 ~]#

Nov 8 08:00:32 test1 sshd[1486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=test
Nov 8 08:00:34 test1 sshd[1486]: Failed password for test from 192.168.56.1 port 53800 ssh2
Nov 8 08:00:36 test1 sshd[1486]: pam_tally2(sshd:auth): user test (501) tally 8, deny 5
Nov 8 08:00:38 test1 sshd[1486]: Failed password for test from 192.168.56.1 port 53800 ssh2
Nov 8 08:00:40 test1 sshd[1486]: pam_tally2(sshd:auth): user test (501) tally 9, deny 5
Nov 8 08:00:42 test1 sshd[1486]: Failed password for test from 192.168.56.1 port 53800 ssh2
Nov 8 08:00:43 test1 sshd[1486]: pam_tally2(sshd:auth): user test (501) tally 10, deny 5
Nov 8 08:00:45 test1 sshd[1486]: Failed password for test from 192.168.56.1 port 53800 ssh2
Nov 8 08:00:46 test1 sshd[1486]: pam_tally2(sshd:auth): user test (501) tally 11, deny 5
Nov 8 08:00:48 test1 sshd[1486]: Failed password for test from 192.168.56.1 port 53800 ssh2
Nov 8 08:00:53 test1 sshd[1487]: Disconnecting: Too many authentication failures for test
Nov 8 08:00:53 test1 sshd[1486]: Failed password for test from 192.168.56.1 port 53800 ssh2
Nov 8 08:00:53 test1 sshd[1486]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=test
Nov 8 08:00:53 test1 sshd[1486]: PAM service(sshd) ignoring max retries; 5 > 3

[root@test1 ~]# pam_tally2 -u test
Login Failures Latest failure From
test 11 11/08/13 08:00:46 192.168.56.1
[root@test1 ~]#
Regards
pant

kbp · 11-10-2013, 04:45 PM

If this is a service account then why is it uid 501? .. you should create the account with 'useradd -r ...' or specify an unused system uid (<500) and test again.

pantdk · 11-11-2013, 08:48 PM

Hi kbp,

yes that's good, but i am just doing a testing, that's why i created the simple user which start after 500 id & logical if i am using the above setting then this should not come under the pam_tally2.my concern is that the account should not lock but here the account is locked after given fail attempts.

pantdk · 11-11-2013, 11:21 PM

Hi kbp,

Now it's resolve just now.i have change the priority pam_env.so in "auth" & account.the test user account is not lock.

[root@test1 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so user in test
auth required pam_tally2.so onerr=fail deny=5 no_magic_root unlock_time=36000 audit
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=5 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@test1 ~]#

[root@test1 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so user in test
auth required pam_tally2.so onerr=fail deny=5
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@test1 ~]#

Nov 12 10:40:13 test1 sshd[1563]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:13 test1 sshd[1563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=test
Nov 12 10:40:15 test1 sshd[1563]: Failed password for test from 192.168.56.1 port 51565 ssh2
Nov 12 10:40:19 test1 sshd[1563]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:22 test1 sshd[1563]: Failed password for test from 192.168.56.1 port 51565 ssh2
Nov 12 10:40:23 test1 sshd[1563]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:25 test1 sshd[1563]: Failed password for test from 192.168.56.1 port 51565 ssh2
Nov 12 10:40:26 test1 sshd[1563]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:28 test1 sshd[1563]: Failed password for test from 192.168.56.1 port 51565 ssh2
Nov 12 10:40:29 test1 sshd[1563]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:31 test1 sshd[1563]: Failed password for test from 192.168.56.1 port 51565 ssh2
Nov 12 10:40:31 test1 sshd[1563]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:34 test1 sshd[1564]: Disconnecting: Too many authentication failures for test
Nov 12 10:40:34 test1 sshd[1563]: Failed password for test from 192.168.56.1 port 51565 ssh2
Nov 12 10:40:34 test1 sshd[1563]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=test
Nov 12 10:40:34 test1 sshd[1563]: PAM service(sshd) ignoring max retries; 6 > 3
Nov 12 10:40:46 test1 sshd[1566]: pam_succeed_if(sshd:auth): requirement "user in test" was met by user "test"
Nov 12 10:40:46 test1 sshd[1566]: Accepted password for test from 192.168.56.1 port 51570 ssh2
Nov 12 10:40:46 test1 sshd[1566]: pam_unix(sshd:session): session opened for user test by (uid=0)
[root@test1 ~]#

[root@test1 ~]# pam_tally2 -u test
Login Failures Latest failure From
test 0
[root@test1 ~]#