LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   where to set maximum login retries and automatically lock users (https://www.linuxquestions.org/questions/linux-security-4/where-to-set-maximum-login-retries-and-automatically-lock-users-714353/)

depam 03-25-2009 10:51 AM
where to set maximum login retries and automatically lock users
 
Hi,

I am using CentOS 4.4. How can I set automatic locking of password after 3 times login failure? Thanks.

TB0ne 03-25-2009 11:02 AM
Quote:
Originally Posted by depam (Post 3487347)
Hi,

I am using CentOS 4.4. How can I set automatic locking of password after 3 times login failure? Thanks.
From a brief Google search, this page may help you.
http://www.cyberciti.biz/tips/lock-u...-attempts.html

rweaver 03-25-2009 05:39 PM
Quote:
Originally Posted by depam (Post 3487347)
Hi,

I am using CentOS 4.4. How can I set automatic locking of password after 3 times login failure? Thanks.
Locking accounts after three incorrect attempts isn't a good idea in many cases, are you sure this is the correct solution for your problem?

depam 03-25-2009 09:30 PM
TBOne,

Should I have PAM enabled first? Is this a service that I need to incorporate with sshd? Thanks.

rweaver,

This is for compliance with our Audit. Thanks also.

tanveer 03-26-2009 10:24 AM
HOPE THIS HELPS.
If failed login attempt 5 times then account will be locked and the unlock time will be 60 secs.
Code:
** Account auto unlock option is available in later versions of RHEL-4 Update 2. It has to be done manually.

# vi /etc/pam.d/system-auth    [ This setting only works for RHEL- 5.x ]

auth        required      pam_env.so
auth        required      pam_tally.so onerr=fail deny=5 unlock_time=60
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite    pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account    required      pam_unix.so

account    required      pam_tally.so reset
account    sufficient    pam_succeed_if.so uid < 500 quiet
account    required      pam_permit.so

password    requisite    pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 

password    sufficient    pam_unix.so md5 remember=2 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session    optional      pam_keyinit.so revoke
session    required      pam_limits.so
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required      pam_unix.so

depam 03-30-2009 09:57 PM
Thanks everyone. Its working now.

EclipseAgent 03-31-2009 12:31 AM
Actually .. having unlock_time using tally.so depends on what version of pam you're using..

In RHEL4, it is tally2.so that has unlock_time

Also, if using traditional / older version make sure you use no_magic_root ... read the man pages on pam to make sure you don't leave your machine unusable


All times are GMT -5. The time now is 12:26 AM.