Hello All,

On my machines I have pam_tally2 module that will lock account after 3 consecutive failed logon attempts. I would like the account to be automatically unlocked after 10 minutes instead of using 'pam_tally2 -u user -r'.
I would like to find out if there is any security risk in doing that provided that servers have to have the highest security standards. Would you be able to point me into right direction?

PAM requires strong password so dictionary attack doesn't seem to be an issue, but I don't know for sure.

Would be grateful for any advice.
Cheers!

If you first implement a policy by locking an account after 3 consecutive failed logon attempts then doesn't requesting automagical unlocking completely subvert that same policy?..

Not really. The account isn't automatically unlocked 10 minutes after it gets locked. It would be unlocked 10 minutes after the last login attempt after it was locked. So, if someone keeps trying to access the account, even with the correct password, the unlock timer keeps resetting, and the account won't unlock until 10 minutes after login attempts stop.

There shouldn't be any additional risk as long as you set the silent option as well.

Since the unlock time is based on the last login attempt after the lock, if someone keeps trying to access the account, the account will remain locked until 10 minutes after the attempts stop. A system admin might just unlock the account without checking if someone is currently trying to break in.

Okay, how about 10 min. period? From user perspective it should be the shortest period. From perspective of attacker is should be the longest. How can I justify 10 min. but not for example 5 min.? or is the difference so marginal that 5 min. is still ok?

http://www.cyberciti.biz/tips/lock-u...-attempts.html

^^ they say edit the "system-auth" file. For me in SLES it is /etc/pam.d/login.
In mine i put the following line at the beginning of that file.

auth required pam_tally.so onerr=fail deny=3 unlock_time=600


deny=3 locks account after 3 failed attempts, and 600 is 10 minutes

I've generally seen anywhere from 5 minutes to 60 minutes, with 10 minutes seeming to be the most common, which I suspect is because it seems to be used in a lot of examples. Often, the unlock time was dictated by corporate policies, so we didn't really have any choice.

In my experience, as long as the users' expectations are set correctly, they adjust ok to whatever time you use.

If locking is a mechanism to deny tampering then automatic unlocking does pose a risk because you simply re-enable the interface. Especially worrying if policy documents may say "highest security standards" and "strong password" but those aren't enforced and audited against, services with weak auth methods are still accessible or users (admins are users too) find ways to subvert or ignore things, etc, etc. I'd confine automatic unlocking to situations where additional measures are already in place like private lans and ensure logins do not give access to services and data you'd have problems explaining once exfiltrated. And indeed, if this is a company or institutional setting, then company policies / compliance regulations should dictate what's allowed and what not: none of the systems I'm responsible for do, or will ever, allow any such automatic unlocking.