I'm trying to grasp a better understanding of PAM configuration in Red Hat. Our policies are all normally set in /etc/pam.d/system-auth-ac, but I've discovered that account lock accounts don't really seem to be getting enforced for incoming ssh connections.
So I did a little research, and found
this page. I tested it, and sure enough pam_tally2 works great now. I always thought Linux account lock outs went to /etc/shadow before this, similar to Unix. Now I've learned it tracks it all by the pam_tally2 outside of /etc/shadow and our lock out policies actually haven't been working.
My question is that after reading the pages below I'm finding I now have more questions than I started with.
1.
Red Hat PAM documentation
2.
Red Hat PAM configuration files
3.
serverfault - login vs system-auth
4.
More login vs system-auth discussion
My question is that in a lot of my reading I see a lot of conflicting information on when to use the /etc/pam.d/system-auth and/or the /etc/pam.d/password-auth files, and/or /etc/pam.d/sshd. Even Red Hat's documentation doesn't explain it well. What are the true purposes of each of these files in relation to each other?
Inquiring minds want to know...
Thanks!