I've tried that too and it was a good suggestion as su now crashes only if you enter a wrong password. I've also tried to rebuild rpmforge srpm with no luck. Could you really make this thing work? I mean did it actually block anything after a series of failed logins?
As I said, we use it for various services on all Internet-bound systems. And yes it works fine. Example: /etc/pam.d/sshd
#%PAM-1.0 auth optional pam_shield.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
You don't want to add this to /etc/pam.d/system-auth simply because it makes no sense to enable pam_shield for things like su, screen, reboot, etc... If you understand what pam_shield does (eg. read the documentation), you'd never want to enable it for all PAM services that use system-auth. EVER.
I'm in no way a pam expert, yes. So I have to rely on the documentation which comes with the package.
# cat /usr/share/doc/pam_shield-0.9.3/INSTALL ... If you want to use pam_shield for all services, edit /etc/pam.d/common-auth. Add the line
auth optional pam_shield.soand that's that. ...
And that's about the only hint on how and where to enable pam_shield. I've tried to add this line to /etc/pam.d/sshd too. Fortunately it didn't crash anything but it didn't work either.
Here's the story for those interested. With the default of
allow_missing_dns no allow_missing_reverse no
pam_shield DOESN'T BLOCK hosts with no or incomplete dns entries, which is a surprise. Should I say a big one? The reason it didn't work for me was that bind wasn't adding reverse maps for my local hosts because of screwed up zone file permissions.
On a side note, when testing pam_shield with a recommended retention period of 60 secs you have to run /etc/cron.daily/pam-shield manually to release expired locks.
HTH