LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-25-2014, 04:27 PM   #1
antriksh
Member
 
Registered: Aug 2010
Location: In my world
Distribution: Oracle Linux 6
Posts: 83

Rep: Reputation: 0
Post SSH Lockout not working using pam in RHEL6


Hi,

I am trying to configure ssh lockout for a user in RHEL6.4. I Have updated below entries in /etc/pam.d/password-auth:

auth required pam_tally2.so deny=3 onerr=fail unlock_time=900
account required pam_tally2.so

Now if i give wrong password for a user when trying to ssh to server it disconnects after 3 attempts. But after that when i again try to login giving correct password it just logs me in. Ideally it should not as i have mentioned unlock_time=900 ie 15 minutes wait time so it should not allow me to attempt to ssh for next 15 mins.

Any idea what is wrong?
 
Old 05-25-2014, 04:37 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
The effect that a PAM module has depends where on the stack it is placed. Can you post your full auth stack? If the authentication attempt was already allowed to succeed before pam_tally is invoked, then the pam_tally rule will have no effect.
 
Old 05-25-2014, 04:40 PM   #3
antriksh
Member
 
Registered: Aug 2010
Location: In my world
Distribution: Oracle Linux 6
Posts: 83

Original Poster
Rep: Reputation: 0
Hi,

/etc/pam.d/password-auth :

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=900

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
 
Old 05-25-2014, 06:58 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exactly as I suspected- you put the pam_tally2.so line at the end of the auth stack AFTER the lines:

Code:
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
The "auth sufficient" line basically means "if the user types the correct password (pam_unix) then let them in without doing any further checks in the PAM stack." If that module succeeds, then pam_tally2 will never be called in your current set-up. You can fix this by putting the pam_tally2 requirement before the pam_unix check. You would need to make a similar change for the account stack. I'd suggest consulting PAM documentation since PAM can behave in sometimes strange and conter-intuitive ways as you've seen.

Note that simply changing "pam_unix" from "sufficient" to "required" will lock everyone out of your box. The reason for this is the requisite "pam_deny" call in the stack, which always refuses authentication. Because pam_unix is set as "sufficient", this call is skipped when the user types in a successful password. Another way of solving this, I think, would be to change pam_unix from "sufficient" to "required", move the pam_tally2 call directly above the pam_deny call, and change pam_tally2 from "required" to "sufficient".

As a final note, do be aware of the comment in /etc/pam.d/password-auth -- if you run authconfig on your system, the content of the file do get over-written by Red Hat's ever-so-helpful utilities.

Last edited by btmiller; 05-25-2014 at 07:00 PM.
 
  


Reply

Tags
pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure PAM for account lockout on 3 failed attempts RHEL 6.4 bkeiser Linux - Security 3 05-25-2013 09:59 PM
Account lockout with PAM thllgo Linux - Security 1 04-22-2009 03:54 PM
logins are not working ---SSH+ pam _winbind srikanthrao_d Linux - Enterprise 0 01-28-2009 03:45 AM
Set account lockout without using pam HelpMe2877 Linux - Security 4 12-03-2008 04:05 PM
NISPOM Security: PAM account lockout and XScreenSaver Settings ElvisImprsntr Linux - Newbie 3 09-26-2007 07:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration