CentOS 5 - locking out users afer 3 failed attempts
 

Hi

I am trying to lock users after 3 attempts and then set the timeout
before they can log in again.
I thought i could achieve this with

auth required pam_tally.so deny=3 unlock_time=600

in /etc/pam.d/system-auth but it seems to not be the case - I cant
find a working config for this anywhere and i wonder if anyone has one
they can share?

thanks
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

CentOS 5 - locking out users afer 3 failed attempts
 

On Tue, Apr 20, 2010 at 08:26:18PM +0100, Tom Brown wrote:
> Hi
>
> I am trying to lock users after 3 attempts and then set the timeout
> before they can log in again.
> I thought i could achieve this with
>
> auth required pam_tally.so deny=3 unlock_time=600
>
> in /etc/pam.d/system-auth but it seems to not be the case - I cant
> find a working config for this anywhere and i wonder if anyone has one
> they can share?
>
> thanks

I'm not familiar with this module, but it looks like there's a
userspace tool 'pam_tally' which you could use to query the tally
files.

Might be worth confirming that the login failures and such are even
being tracked correctly.

Any errors in your logs? A brief perusal of the man page seems to
indicate that your syntax is correct...

Ray
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

CentOS 5 - locking out users afer 3 failed attempts
 

On Tue, 20 Apr 2010, Tom Brown wrote:

> I thought i could achieve this with
>
> auth required pam_tally.so deny=3 unlock_time=600
>
> in /etc/pam.d/system-auth but it seems to not be the case - I cant
> find a working config for this anywhere and i wonder if anyone has one
> they can share?

Works here

Does '/var/log/faillog' exist and is it properly writable?
Is SELinux in play, etc? The man page does not speak in terms
of edits to: /etc/pam.d/system-auth but rather to:
/etc/pam.d/login [note -- I suspect there may be a man page
bug here ... in testing; changes to /etc/pam.d/login and some
intentionally failed logins, do not seem to cause content to
be added to /var/log/faillog . Making the edit to:
/etc/pam.d/system-auth-ac DOES cause content to be registered,
and to show up with the 'faillog -a' command [*1] ].

/etc/pam.d/system-auth is a symlink to:
/etc/pam.d/system-auth-ac on my C 5 box, and editting here
seems to work just fine:

[root@centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac
--- system-auth-ac~ 2010-04-20 15:46:34.000000000 -0400
+++ system-auth-ac 2010-04-20 15:46:34.000000000 -0400
@@ -2,6 +2,7 @@
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
+auth required pam_tally.so deny=3 unlock_time=600 per_user
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
[root@centos-5 pam.d]#

Nota bene: Note that the GUI tools will happily 'tromp' on
changes you make, and do not retain backups.

Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac
per:
man pam_tally
at the bottom of that man page, and
man 8 faillog

Not enough here to diagnose properly presently.

-- Russ herrold

[1]
[root@centos-5 log]# faillog -a
Login Failures Maximum Latest On
thomas 9 0 04/20/10 15:47:02 -0400 localhost.l
[root@centos-5 log]#
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

CentOS 5 - locking out users afer 3 failed attempts
 

> Does '/var/log/faillog' exist and is it properly writable?
> Is SELinux in play, etc? *The man page does not speak in terms
> of edits to: /etc/pam.d/system-auth but rather to:
> /etc/pam.d/login [note -- I suspect there may be a man page
> bug here ... in testing; changes to /etc/pam.d/login and some
> intentionally failed logins, do not seem to cause content to
> be added to /var/log/faillog . *Making the edit to:
> /etc/pam.d/system-auth-ac DOES cause content to be registered,
> and to show up with the 'faillog -a' command [*1] ].
>
> /etc/pam.d/system-auth is a symlink to:
> /etc/pam.d/system-auth-ac on my C 5 box, and editting here
> seems to work just fine:
>
> [root@centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac
> --- system-auth-ac~ * * 2010-04-20 15:46:34.000000000 -0400
> +++ system-auth-ac * * *2010-04-20 15:46:34.000000000 -0400
> @@ -2,6 +2,7 @@
> *# This file is auto-generated.
> *# User changes will be destroyed the next time authconfig is run.
> *auth * * * *required * * *pam_env.so
> +auth * * * required * * pam_tally.so deny=3 unlock_time=600 per_user
> *auth * * * *sufficient * *pam_unix.so nullok try_first_pass
> *auth * * * *requisite * * pam_succeed_if.so uid >= 500 quiet
> *auth * * * *required * * *pam_deny.so
> [root@centos-5 pam.d]#
>
> Nota bene: Note that the GUI tools will happily 'tromp' on
> changes you make, and do not retain backups.
>
> Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac
> per:
> * * * *man pam_tally
> at the bottom of that man page, and
> * * * *man 8 faillog
>
> Not enough here to diagnose properly presently.

thanks both

pebkac it appears - faillog -a was producing the expected results,
what seems to be the issue is that although the syntax was correct the
location within auth-config was wrong and therefore being ignored.

your diff gave me the clue and seemingly resolved my issue - many thanks
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

CentOS 5 - locking out users afer 3 failed attempts
 

From: Tom Brown <tom@ng23.net>
> auth required pam_tally.so deny=3 unlock_time=600

Anything in /var/log/tallylog
Tried pam_tally2.so just in case?

JD



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos