Hi
I am trying to lock users after 3 attempts and then set the timeout before they can log in again. I thought i could achieve this with
auth required pam_tally.so deny=3 unlock_time=600
in /etc/pam.d/system-auth but it seems to not be the case - I cant find a working config for this anywhere and i wonder if anyone has one they can share?
thanks
On Tue, Apr 20, 2010 at 08:26:18PM +0100, Tom Brown wrote:
Hi
I am trying to lock users after 3 attempts and then set the timeout before they can log in again. I thought i could achieve this with
auth required pam_tally.so deny=3 unlock_time=600
in /etc/pam.d/system-auth but it seems to not be the case - I cant find a working config for this anywhere and i wonder if anyone has one they can share?
thanks
I'm not familiar with this module, but it looks like there's a userspace tool 'pam_tally' which you could use to query the tally files.
Might be worth confirming that the login failures and such are even being tracked correctly.
Any errors in your logs? A brief perusal of the man page seems to indicate that your syntax is correct...
Ray
On Tue, 20 Apr 2010, Tom Brown wrote:
I thought i could achieve this with
auth required pam_tally.so deny=3 unlock_time=600
in /etc/pam.d/system-auth but it seems to not be the case - I cant find a working config for this anywhere and i wonder if anyone has one they can share?
Works here
Does '/var/log/faillog' exist and is it properly writable? Is SELinux in play, etc? The man page does not speak in terms of edits to: /etc/pam.d/system-auth but rather to: /etc/pam.d/login [note -- I suspect there may be a man page bug here ... in testing; changes to /etc/pam.d/login and some intentionally failed logins, do not seem to cause content to be added to /var/log/faillog . Making the edit to: /etc/pam.d/system-auth-ac DOES cause content to be registered, and to show up with the 'faillog -a' command [*1] ].
/etc/pam.d/system-auth is a symlink to: /etc/pam.d/system-auth-ac on my C 5 box, and editting here seems to work just fine:
[root@centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac --- system-auth-ac~ 2010-04-20 15:46:34.000000000 -0400 +++ system-auth-ac 2010-04-20 15:46:34.000000000 -0400 @@ -2,6 +2,7 @@ # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so +auth required pam_tally.so deny=3 unlock_time=600 per_user auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so [root@centos-5 pam.d]#
Nota bene: Note that the GUI tools will happily 'tromp' on changes you make, and do not retain backups.
Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac per: man pam_tally at the bottom of that man page, and man 8 faillog
Not enough here to diagnose properly presently.
-- Russ herrold
[1] [root@centos-5 log]# faillog -a Login Failures Maximum Latest On thomas 9 0 04/20/10 15:47:02 -0400 localhost.l [root@centos-5 log]#
Does '/var/log/faillog' exist and is it properly writable? Is SELinux in play, etc? The man page does not speak in terms of edits to: /etc/pam.d/system-auth but rather to: /etc/pam.d/login [note -- I suspect there may be a man page bug here ... in testing; changes to /etc/pam.d/login and some intentionally failed logins, do not seem to cause content to be added to /var/log/faillog . Making the edit to: /etc/pam.d/system-auth-ac DOES cause content to be registered, and to show up with the 'faillog -a' command [*1] ].
/etc/pam.d/system-auth is a symlink to: /etc/pam.d/system-auth-ac on my C 5 box, and editting here seems to work just fine:
[root@centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac --- system-auth-ac~ 2010-04-20 15:46:34.000000000 -0400 +++ system-auth-ac 2010-04-20 15:46:34.000000000 -0400 @@ -2,6 +2,7 @@ # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so +auth required pam_tally.so deny=3 unlock_time=600 per_user auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so [root@centos-5 pam.d]#
Nota bene: Note that the GUI tools will happily 'tromp' on changes you make, and do not retain backups.
Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac per: man pam_tally at the bottom of that man page, and man 8 faillog
Not enough here to diagnose properly presently.
thanks both
pebkac it appears - faillog -a was producing the expected results, what seems to be the issue is that although the syntax was correct the location within auth-config was wrong and therefore being ignored.
your diff gave me the clue and seemingly resolved my issue - many thanks
From: Tom Brown tom@ng23.net
auth required pam_tally.so deny=3 unlock_time=600
Anything in /var/log/tallylog Tried pam_tally2.so just in case?
JD
-
John Doe -
R P Herrold -
Ray Van Dolson -
Tom Brown