PAM, pam_tally, and locking out users after 3 failed login attempts in RHEL5
I'm trying to lock users out after 3 failed login attempts.
No matter what suggestions/options I try the user is still able to login after 3 or more failed login attempts. My /etc/pam.d/system-auth includes the following lines: Quote:
Quote:
|
I have never gotten pam_tally or pam_tally2 to properly work on my systems. I think its broke.
|
Well - I've had another bash (you got me inspired!)
I have got it working by doing Code:
auth required pam_tally.so |
pam_tally fails
I have tried using:
auth required pam_tally.so account required pam_tally.so w/o the arguments and faillog and/or pam_tally still does not lock the user account when # of attempts are exceeded. I have also tried using "login" within pam.d and pam_tally doesn't even count the bad logins. There appears to be a definite bug within system-auth and pam_tally. If anyone has a definite work-around please post. |
OK, here's the fix concerning pam_tally. Note there is no "no_magic_root" option for RHEL5. Additionally, no modifications were made to the pam.d "login", "su", "ssh" and "gdm" files. Here's my "system-auth" file.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally.so per_user deny=3 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password required pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so P.S. You can monitor pam_tally activity via /var/log/secure "tail -f /var/log/secure" -Jim |
Quote:
Quote:
Thanks again! :D |
Quote:
Thanks, David |
I think it's good to have proper error message about faillog. Anyone have any idea to show that error message?
|
I guess there is no way to do that with PAM based on a quote(below) from the book 'Linux System Security: The Administrator's Guide to Open Source Security Tools" p.83
"... In the case of failure, it is generally true that the error message displayed to the user will NOT be indicative of the cause of failure. This generic error message approach is a security feature since it limits information that could be used in compromise efforts." David |
Since this topic is one that seems to cause some trouble (and is required for PCI compliance, and ranks highly in Google for "pam_tally") I thought I'd add a hint that fixed the problem I had with it in the hope that it may help someone else.
The order that plugins are listed in the pam configuration files matters. In particular, the "auth required pam_tally.so" line must come before the "auth sufficient pam_unix.so" line or it will not lock anyone out, even after they have failed the correct number of login attempts. |
Quote:
|
All times are GMT -5. The time now is 01:47 AM. |