LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 05-31-2006, 02:16 AM   #1
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Rep: Reputation: 0
how to set the login failure times?


Hi all, i want set login failure times, which enables admin to specify a maximum number of failed login attempts (n) and a penalty lockout time (x), such that after "n" failed login attempts a user is locked out for "x" seconds .

For example, the policy could dictate 3 failed attempts followed by a 180 second lockout penalty.

I set the policy uses pam Lib, but it still does not work now.

Please told me how to setting the /etc/pam.conf or /etc/pam.d/****

My OS is redhat 9.
 
Old 05-31-2006, 11:12 AM   #2
mekump
LQ Newbie
 
Registered: Feb 2006
Distribution: CentOS-4
Posts: 19

Rep: Reputation: 0
Hello,

I am not sure about RH9, but CENTOS 4.2 contains a command called faillog which provides an option to lock out users after "max" failed login attempts.

Mike
 
Old 05-31-2006, 08:06 PM   #3
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by mekump
Hello,

I am not sure about RH9, but CENTOS 4.2 contains a command called faillog which provides an option to lock out users after "max" failed login attempts.

Mike
hi
I think, your information is valuable to me. Could you give me the detail information about the command. Thanks.

Last edited by CharlieCai; 05-31-2006 at 08:08 PM.
 
Old 05-31-2006, 09:25 PM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,225

Rep: Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021Reputation: 2021
See
man faillog
although RH9 is a very very old version and may not have it. Also, you can't get security updates etc.
Recommend you move up to RH Fedora Core 5 (http://fedora.redhat.com/Download/) or grab a copy of Centos http://www.centos.org/ .
 
Old 05-31-2006, 11:46 PM   #5
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Original Poster
Rep: Reputation: 0
but i think the PAM is enough to set this, the parameters setting or sequences i setting is not OK. i will try it. if any one who enable this policy, could you let me reference the /etc/pam.d/login file.
 
Old 06-01-2006, 01:29 AM   #6
jayakrishnan
Member
 
Registered: Feb 2002
Location: India
Distribution: Slacky 12.1, XP
Posts: 991

Rep: Reputation: 30
faillog command doesnt allow u to set for how much time the account will be disabled , u can only set the number of failed logins before the account is locked
 
Old 06-01-2006, 02:28 AM   #7
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jayakrishnan
faillog command doesnt allow u to set for how much time the account will be disabled , u can only set the number of failed logins before the account is locked
Firstly I used the faillog command to set all the user max 0, lock time 0
faillog -a -m 0 -l 0
then i set the /etc/pam.d/login

#%PAM-1.0
#auth required pam_securetty.so
auth required pam_pwdb.so shadow nullok
auth required pam_nologin.so
account required pam_pwdb.so
account required pam_tally.so deny=2 lock_time=180 no_magic_root
password required pam_cracklib.so
password required pam_pwdb.so shadow nullok use_authtok
session required pam_pwdb.so

but it does not work.

i don't know why?

i will try it again, someone could give me advice?
 
Old 06-05-2006, 06:18 AM   #8
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Original Poster
Rep: Reputation: 0
Now I made it.
This is the /etc/pam.d/login.conf
# Charlie 2226.06.05
auth required pam_tally.so onerr=fail no_magic_root
auth required pam_pwdb.so shadow nullok
auth required pam_nologin.so

account required pam_pwdb.so
account required pam_tally.so onerr=fail per_user deny=2 lock_time=120 no_magic_root reset

password required pam_cracklib.so
password required pam_pwdb.so shadow nullok use_authtok

session required pam_pwdb.so

Thanks all
 
Old 06-05-2006, 07:17 AM   #9
wuicci
LQ Newbie
 
Registered: May 2006
Posts: 3

Rep: Reputation: 0
Hi Charlie,
I have the same problem and I tried with your /etc/pam.d/login file, but it doesn't work for me, so I would like to know which version of pam are you using, and if you have modified the file /etc/pam.d/system-auth or any other file.

Thanks in advance,

Angela

PS. I have RedHat 9.C with pam 0.75-48
 
Old 06-14-2006, 03:27 AM   #10
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by wuicci
Hi Charlie,
I have the same problem and I tried with your /etc/pam.d/login file, but it doesn't work for me, so I would like to know which version of pam are you using, and if you have modified the file /etc/pam.d/system-auth or any other file.

Thanks in advance,

Angela

PS. I have RedHat 9.C with pam 0.75-48
I made a mistake in this.
I just can control the silent time that the lock the user in the configure as blow: but not close the session.
Code:
#%PAM-1.0
#this file is modify by Charlie.
#add start for silent time
auth       required     pam_tally.so    deny=2 unlock_time=60 no_lock_time
#add end for silent time

auth       required     pam_pwdb.so     shadow nullok
auth       required     pam_nologin.so

account    required     pam_pwdb.so
#add start for silent time
account    required     pam_tally.so
#add end for silent time
account    required     pam_pwdb.so

password   required     pam_cracklib.so
password   required     pam_pwdb.so shadow nullok use_authtok
         
session    required     pam_pwdb.so



Now i am busy trying the shadow-4.0.16. It was just released at Jun 4. and add new function to contol the login session.

login.c of shadow-4.0.16 support /etc/login.defs.

It has two macro is useful for us.

LOGIN_RETRIES 3
LOGIN_TIMEOUT 20


It is all my work now.
if you get more progress, please let me know.
Thanks.
 
Old 06-15-2006, 07:23 AM   #11
CharlieCai
LQ Newbie
 
Registered: May 2006
Posts: 7

Original Poster
Rep: Reputation: 0
The PAM version must >= 0.79

I used the pam 0.80
you can get the version from this link:

http://www.kernel.org/pub/linux/libs/pam/pre/library/
 
  


Reply

Tags
failure, login, timeout


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Auto-login at specific times Vorik Linux - Software 6 12-11-2007 01:04 AM
Login times Radical Edward Linux - Newbie 2 12-01-2004 10:39 PM
Login times out while writing post lesleyb LQ Suggestions & Feedback 2 10-20-2004 05:36 PM
Account Allowed Login Times? c0uchm0nster Linux - Security 3 08-18-2004 04:32 AM
Need to restrict login times for vsftp thebrit123 Linux - Software 0 06-09-2003 09:27 AM


All times are GMT -5. The time now is 12:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration