Greetings,

I am currently trying to lock down my system a little bit better than just the default settings. I am trying to restrict access to the system by implementing restrictions on the number of logins and teh grace period between password authentication.

I had made changes to my test box that worked just fine, but when I made the same changes to another test box, same configuration, version, etc, it doesn't seem to want to work.

I made changes to login.defs (though I've read that it's been depricated):

LOGIN_RETRIES 3
LOGIN_TIMEOUT 60

to sshd_config:

LoginGraceTime 60
PermitRootLogin no

to pam.d/

auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset

and security/access.conf

-:wheel:ALL EXCEPT LOCAL


However, when I ssh to the box and fat-finger teh login, the password prompt is returned again and again, rather than disconnecting the session after 3 attempts.

I restarted sshd and xinetd , but no luck. Any ideas?

I do not believe login.defs defines the actions for your ssh daemon (sshd).

You could try adding the line:

password required /lib/security/pam_cracklib.so retry=3

To your sshd pam config file located in:

/etc/pam.d/sshd

Ideally that line should go just above any other password line. You'll need to stop/start your sshd for this to take effect.

Hope this helps.

-b

Thanks for the info, but I don't think that's it. I don't have that on my other test box and it works fine. Just for giggles, I did add the line to my other box, but the change is not effective.

That's very interesting. This is for RH 7.3?

-b

Nope. RHEL 3.0 (RedHat Enterprize Linux)