LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-06-2016, 08:58 AM   #1
ClassANetwork
LQ Newbie
 
Registered: Jul 2016
Distribution: CentOS
Posts: 3

Rep: Reputation: Disabled
Thumbs down RHEL5 - Unable to use pam_tally to reset account lock


Hello there,

I am having issues with an RHEL5 image we've been deploying out in the field. Users are locking themselves out constantly and the only option we have at this point is to re-image the drives from a backup.

Some technicians in the field have tried using System Rescue CD to try to passwd the accounts, but the accounts are still locked out from their maximum login attempts. I've also tried using;
Code:
pam_tally --user=[USER] --reset
Anything I try to do with pam_tally says that it doesn't exist and that there's an authentication error.

I also skimmed a bit in my /etc/pam.d/login and I am unsure of what could be changed. I don't want to change too much and break our IA compliance policy.

Is there any way I can unlock these accounts?

Last edited by ClassANetwork; 07-06-2016 at 08:58 AM. Reason: syntax
 
Old 07-06-2016, 09:11 AM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
Quote:
Anything I try to do with pam_tally says that it doesn't exist and that there's an authentication error.
This is not very informative. Copy and paste the exact command(s) you ran and the exact output you get.

You can also try
Code:
faillog -u user -r
 
Old 07-06-2016, 04:54 PM   #3
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: DC
Distribution: RHEL/CentOS
Posts: 1,386
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Try this:

Code:
pam_tally2 -u (user id here) -r
http://www.tecmint.com/use-pam_tally...ogin-attempts/

Last edited by JockVSJock; 07-06-2016 at 04:57 PM. Reason: add url
 
Old 07-06-2016, 09:53 PM   #4
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
RHEL 5 does not use pam_tally2 by default, but it's possible.
 
Old 07-07-2016, 06:13 AM   #5
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: DC
Distribution: RHEL/CentOS
Posts: 1,386
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by AlucardZero View Post
RHEL 5 does not use pam_tally2 by default, but it's possible.
As someone who admins multiple RHEL5/6 VMs, I'm here to say it does.

OP needs to try it and report back. I suspect it will work.
 
Old 07-07-2016, 07:17 AM   #6
ClassANetwork
LQ Newbie
 
Registered: Jul 2016
Distribution: CentOS
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi, sorry for the late reply. I will clarify a few things.

Our IA policy locks our distribution down to where you cannot log on as root from the login screen. In order to access root, you need to log into the standard user account and then open a terminal to access root functionality. Our issue is that the technicians and maintainers in the field keep locking themselves out of both the standard user and root from the login screen, despite telling them repeatedly they cannot log in as root directly. What I tried to do on our test bench was unlock the accounts via System Rescue CD by mounting the partition and chroot to have root privileges to make the changes necessary. Unfortunately, even after issuing passwd to change the passwords, it does not reset the login attempt counts. This is also a baseline distribution with no access to the RHEL repositories for updates, so I am unsure if the version we have in our baseline image has broken/bugged packages.

I will try to figure out how to copy our pam.d configurations and post them here since USB and CD/DVD Burner functionality is disabled. I unfortunately have no control over how these are locked down and it definitely does not make it easy for me to just copy/paste configurations since I have to burn them to a disc and then open them elsewhere. They give me instructions and I build the distributions the way they want them built. I may have to talk with our IAO about acceptable risks needed to make this more manageable.

Both pam_tally and pam_tally2 come up saying it does not exist, also with an Authentication error. I tried using pam_tally to check the login attempts on an account and it will fail.

Code:
pam_tally: No such file or directory
pam_tally: Authentication error
Code:
pam_tally2: No such file or directory
pam_tally2: Authentication error
Quote:
Originally Posted by AlucardZero View Post
This is not very informative. Copy and paste the exact command(s) you ran and the exact output you get.

You can also try
Code:
faillog -u user -r
Unfortunately, the only way I am able to use this command is if all of our partitions are mounted since we have separate partitions for each directory. I have tried mounting all of the partitions with System Rescue CD and using chroot to issue the command, but it does not work or it does not find faillog.

Quote:
Originally Posted by JockVSJock View Post
Try this:

Code:
pam_tally2 -u (user id here) -r
http://www.tecmint.com/use-pam_tally...ogin-attempts/
I will try this today.

Thank you all for your help so far.

Edit: This did not work.

Code:
bash: pam_tally: command not found
It's weird because I can access pam.d and see all of the configurations.

Last edited by ClassANetwork; 07-07-2016 at 10:22 AM.
 
Old 07-07-2016, 03:13 PM   #7
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
Quote:
Both pam_tally and pam_tally2 come up saying it does not exist, also with an Authentication error. I tried using pam_tally to check the login attempts on an account and it will fail.
Please also copy and paste the commands you are running. If you're literally just running "pam_tally", that's one thing, but including any arguments (anonymized) and any related commands and their output might help.
Is pam_tally executable? Is it 64-bit or 32-bit? Is your running kernel 64-bit or 32-bit? Do they match?

Quote:
I have tried mounting all of the partitions with System Rescue CD and using chroot to issue the command, but it does not work or it does not find faillog.
Please copy and paste all the commands you are running and all the output you get. Sorry but you're not giving us much to work with here. The problem could be you don't know how to properly chroot (I'd guess forgetting to bind mount /sys, /proc, and /dev), but you're not giving us a lot to work with.

Quote:
Edit: This did not work.
He said pam_tally2 but you appear to have missed the 2.

Do the logs say anything? /var/log/secure and/or /var/log/messages.


Quote:
Originally Posted by JockVSJock View Post
As someone who admins multiple RHEL5/6 VMs, I'm here to say it does.

OP needs to try it and report back. I suspect it will work.
As someone who admins hundreds of RHEL4/5/6/7 VMs, I'm here to say that RHEL 5 does not by default.
Code:
# cat /etc/*release
Red Hat Enterprise Linux Server release 5.11 (Tikanga)
# rpm -V pam
....L...  c /etc/pam.d/system-auth
....L...  c /etc/pam.d/system-auth
# ls -ld /etc/pam.d/system-auth
lrwxrwxrwx 1 root root 14 Jun 24  2010 /etc/pam.d/system-auth -> system-auth-ac
# rpm -qf /etc/pam.d/system-auth-ac 
authconfig-5.3.21-7.el5
# rpm -V authconfig
# 
# grep tally2 /etc/pam.d/*
#
\_(ツ)_/

Last edited by AlucardZero; 07-07-2016 at 03:16 PM.
 
Old 07-11-2016, 10:41 AM   #8
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: DC
Distribution: RHEL/CentOS
Posts: 1,386
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
My mistake, I thought pam_tally2 was enabled by default on RHEL5.

However it appears to be default on RHEL6.

https://access.redhat.com/solutions/61561

Either way, it appears the OP didn't run the correct command when trying to unlock the account.
 
Old 08-08-2016, 10:53 PM   #9
Z0sickx
LQ Newbie
 
Registered: Jun 2016
Posts: 17

Rep: Reputation: Disabled
tried? /sbin/pam_tally2 -u username --reset
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
(RHEL5) Not able to delete/add user : unable to lock group/password file sakshi.garg23 Linux - Newbie 32 11-10-2014 10:04 PM
Account locked by pam_tally does not reflect in passwd -S anusuya_k Linux - General 0 10-18-2011 03:02 AM
RHEL5.7 pam_tally vs pam_tally2 Linux_Kidd Linux - Security 0 09-28-2011 09:16 AM
PAM, pam_tally, and locking out users after 3 failed login attempts in RHEL5 frail.knight Linux - Security 10 03-17-2011 04:06 PM
Can I permanently lock a user account with pam_tally ? dmak168 Linux - Security 2 09-04-2008 02:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration