I am trying to disable accounts after 5 unsuccessful
login attempts. I am following the guidelines in this
article:
http://www.puschitz.com/SecuringLinu...yLoginFailures
This is on an Oracle Enterprise 5.4 box, which is essentially RHEL 5.4
Here is what my /etc/pam.d/system-auth looks like:
--------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=success no_magic_root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally.so per_user deny=5 no_magic_root reset
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ocredit=-1
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
----
I have created a user 'test1'. I then generated 6 unsuccessful su
attempts from another non-root user account trying to get into the
test1 account. Here is the output of faillog on the user now:
Login Failures Maximum Latest On
test1 6 0 06/08/10 15:32:37 -0400 pts/4
Unfortunately, the account does not seem to be locked or disabled. As root, runninng 'su test2 -c <some-command>' always sucessfully runs <some-command>, and leaves the failed attempt count at 6. /etc/shadow does not have an * or ! anywhere in the encrypted password for the 'test1' user.
What am I doing wrong? I thought that with the max attempts set to 0
in faillog, that the deny= parameter would be used.
I thought I should be using su <user> -c <command> from the root account to test if the disable feature is working. Is my methodology wrong?
Did I miss something? Thanks.
