LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-11-2010, 03:07 PM   #1
mccartjd
Member
 
Registered: Apr 2008
Posts: 108

Rep: Reputation: 15
Unhappy Config /etc/pam.d/system-auth for account Lockout and Password Minumum


I am using RHEL 5 Server and trying to setup the /etc/pam.d/system-auth file so when users login on the workstation there account is locked after 3 failed attempts.

Using the NSA guide I performed the below:
changed below lines -

password requisite pam_cracklib.so try_first_pass retry=3
TO
password required pam_cracklib.so try_first_pass retry=3 minlen=8 \
dcredit=-1 ucred=-1 ocredit=-1 lcredit=0

changed below lines -
auth sufficient pam_unix.so nullok try_first_pass
TO
auth required pam_unix.so nullok try_first_pass

deleted below lines -
auth requisite pam_succeed_if.so uid >=500 quiet
auth required pam_deny.so

added below lines -
auth required pam_tally2.so deny=5 onerr=fail

added below lines -
account required pam_tally2.so

The account lockout feature (the screens nofied the user the account is locked) so it works but my root keeps getting locked out so I have to boot to the CD-ROM and recover the file. How can I prevent my root from getting locked?
 
Old 02-12-2010, 06:44 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Read here:
/usr/share/doc/pam-0.99.6.2/txts/README.pam_tally2

And let's see your entire /etc/pam.d/system-auth file contents (in code tags). It's not supposed to work the way you are describing. You could set magic_root but that shouldn't be necessary...
 
Old 02-18-2010, 08:42 AM   #3
mccartjd
Member
 
Registered: Apr 2008
Posts: 108

Original Poster
Rep: Reputation: 15
Cool Problem identifed and fixed

The reference to /usr/share/doc/pam-0.99.6.2/txts/README.pam_tally2
is awsome! What I found is that the order in which you enter your options is critical. Apparently you must add your options in the sequence outline in the file README.pam_tally2. Also I found there is no need to add anything to ensure root is NOT locked out. I have managed so far to lock out an account for a period of 5 minutes and it was reset automatically. I also attempted to force root to lockout and so far have not been able to at the console(which is good). I did not have to type any special comments to ensure root did not lockout.

Advice to new users who read the attached document is when in a specific category, like "auth" enter your options and variables in the sequence outlined in this document. Example:

auth required pam_tally2.so [I]deny=5 unlock_time=300

Don't try pam_tally2.so unlock_time=300 deny=5

A million thanks anomie

Take care,
Johnny Mac
 
Old 02-18-2010, 08:45 AM   #4
mccartjd
Member
 
Registered: Apr 2008
Posts: 108

Original Poster
Rep: Reputation: 15
One more thing

In my post above a [i] got added so ignore where you see the [i] as seen in full below:

auth required pam_tally2.so [i]deny=5 unlock_time=300
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Account lockout with PAM thllgo Linux - Security 1 04-22-2009 02:54 PM
Set account lockout without using pam HelpMe2877 Linux - Security 4 12-03-2008 03:05 PM
Password Complexity after changing the /etc/pam.d/system-auth the system dies kprakashc Linux - Newbie 0 08-27-2008 09:50 PM
NISPOM Security: PAM account lockout and XScreenSaver Settings ElvisImprsntr Linux - Newbie 3 09-26-2007 06:44 PM
code for /etc/pam.d/system-auth(password complexity) moinpasha Programming 0 09-18-2006 01:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration