Hi all, i want set login failure times, which enables admin to specify a maximum number of failed login attempts (n) and a penalty lockout time (x), such that after "n" failed login attempts a user is locked out for "x" seconds .

For example, the policy could dictate 3 failed attempts followed by a 180 second lockout penalty.

I set the policy uses pam Lib, but it still does not work now.

Please told me how to setting the /etc/pam.conf or /etc/pam.d/****

My OS is redhat 9.

Hello,

I am not sure about RH9, but CENTOS 4.2 contains a command called faillog which provides an option to lock out users after "max" failed login attempts.

Mike

hi
I think, your information is valuable to me. Could you give me the detail information about the command. Thanks.

See
man faillog
although RH9 is a very very old version and may not have it. Also, you can't get security updates etc.
Recommend you move up to RH Fedora Core 5 (http://fedora.redhat.com/Download/) or grab a copy of Centos http://www.centos.org/ .

but i think the PAM is enough to set this, the parameters setting or sequences i setting is not OK. i will try it. if any one who enable this policy, could you let me reference the /etc/pam.d/login file.

faillog command doesnt allow u to set for how much time the account will be disabled , u can only set the number of failed logins before the account is locked

Firstly I used the faillog command to set all the user max 0, lock time 0
faillog -a -m 0 -l 0
then i set the /etc/pam.d/login

#%PAM-1.0
#auth required pam_securetty.so
auth required pam_pwdb.so shadow nullok
auth required pam_nologin.so
account required pam_pwdb.so
account required pam_tally.so deny=2 lock_time=180 no_magic_root
password required pam_cracklib.so
password required pam_pwdb.so shadow nullok use_authtok
session required pam_pwdb.so

but it does not work.

i don't know why?

i will try it again, someone could give me advice?

Now I made it.
This is the /etc/pam.d/login.conf
# Charlie 2226.06.05
auth required pam_tally.so onerr=fail no_magic_root
auth required pam_pwdb.so shadow nullok
auth required pam_nologin.so

account required pam_pwdb.so
account required pam_tally.so onerr=fail per_user deny=2 lock_time=120 no_magic_root reset

password required pam_cracklib.so
password required pam_pwdb.so shadow nullok use_authtok

session required pam_pwdb.so

Thanks all

Hi Charlie,
I have the same problem and I tried with your /etc/pam.d/login file, but it doesn't work for me, so I would like to know which version of pam are you using, and if you have modified the file /etc/pam.d/system-auth or any other file.

Thanks in advance,

Angela

PS. I have RedHat 9.C with pam 0.75-48

I made a mistake in this.
I just can control the silent time that the lock the user in the configure as blow: but not close the session.



Now i am busy trying the shadow-4.0.16. It was just released at Jun 4. and add new function to contol the login session.

login.c of shadow-4.0.16 support /etc/login.defs.

It has two macro is useful for us.

LOGIN_RETRIES 3
LOGIN_TIMEOUT 20


It is all my work now.
if you get more progress, please let me know.
Thanks.

The PAM version must >= 0.79

I used the pam 0.80
you can get the version from this link:

http://www.kernel.org/pub/linux/libs/pam/pre/library/