Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-11-2010, 03:07 PM   #1
Registered: Apr 2008
Posts: 108

Rep: Reputation: 15
Unhappy Config /etc/pam.d/system-auth for account Lockout and Password Minumum

I am using RHEL 5 Server and trying to setup the /etc/pam.d/system-auth file so when users login on the workstation there account is locked after 3 failed attempts.

Using the NSA guide I performed the below:
changed below lines -

password requisite try_first_pass retry=3
password required try_first_pass retry=3 minlen=8 \
dcredit=-1 ucred=-1 ocredit=-1 lcredit=0

changed below lines -
auth sufficient nullok try_first_pass
auth required nullok try_first_pass

deleted below lines -
auth requisite uid >=500 quiet
auth required

added below lines -
auth required deny=5 onerr=fail

added below lines -
account required

The account lockout feature (the screens nofied the user the account is locked) so it works but my root keeps getting locked out so I have to boot to the CD-ROM and recover the file. How can I prevent my root from getting locked?
Old 02-12-2010, 06:44 PM   #2
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Read here:

And let's see your entire /etc/pam.d/system-auth file contents (in code tags). It's not supposed to work the way you are describing. You could set magic_root but that shouldn't be necessary...
Old 02-18-2010, 08:42 AM   #3
Registered: Apr 2008
Posts: 108

Original Poster
Rep: Reputation: 15
Cool Problem identifed and fixed

The reference to /usr/share/doc/pam-
is awsome! What I found is that the order in which you enter your options is critical. Apparently you must add your options in the sequence outline in the file README.pam_tally2. Also I found there is no need to add anything to ensure root is NOT locked out. I have managed so far to lock out an account for a period of 5 minutes and it was reset automatically. I also attempted to force root to lockout and so far have not been able to at the console(which is good). I did not have to type any special comments to ensure root did not lockout.

Advice to new users who read the attached document is when in a specific category, like "auth" enter your options and variables in the sequence outlined in this document. Example:

auth required [I]deny=5 unlock_time=300

Don't try unlock_time=300 deny=5

A million thanks anomie

Take care,
Johnny Mac
Old 02-18-2010, 08:45 AM   #4
Registered: Apr 2008
Posts: 108

Original Poster
Rep: Reputation: 15
One more thing

In my post above a [i] got added so ignore where you see the [i] as seen in full below:

auth required [i]deny=5 unlock_time=300


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Account lockout with PAM thllgo Linux - Security 1 04-22-2009 02:54 PM
Set account lockout without using pam HelpMe2877 Linux - Security 4 12-03-2008 03:05 PM
Password Complexity after changing the /etc/pam.d/system-auth the system dies kprakashc Linux - Newbie 0 08-27-2008 09:50 PM
NISPOM Security: PAM account lockout and XScreenSaver Settings ElvisImprsntr Linux - Newbie 3 09-26-2007 06:44 PM
code for /etc/pam.d/system-auth(password complexity) moinpasha Programming 0 09-18-2006 01:23 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:03 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration