[CentOS] CentOS 5 - locking out users afer 3 failed attempts

Tue Apr 20 20:51:29 UTC 2010
Tom Brown <tom at ng23.net>

> Does '/var/log/faillog' exist and is it properly writable?
> Is SELinux in play, etc?  The man page does not speak in terms
> of edits to: /etc/pam.d/system-auth but rather to:
> /etc/pam.d/login [note -- I suspect there may be a man page
> bug here ... in testing; changes to /etc/pam.d/login and some
> intentionally failed logins, do not seem to cause content to
> be added to /var/log/faillog .  Making the edit to:
> /etc/pam.d/system-auth-ac DOES cause content to be registered,
> and to show up with the 'faillog -a' command [*1] ].
>
> /etc/pam.d/system-auth is a symlink to:
> /etc/pam.d/system-auth-ac on my C 5 box, and editting here
> seems to work just fine:
>
> [root at centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac
> --- system-auth-ac~     2010-04-20 15:46:34.000000000 -0400
> +++ system-auth-ac      2010-04-20 15:46:34.000000000 -0400
> @@ -2,6 +2,7 @@
>  # This file is auto-generated.
>  # User changes will be destroyed the next time authconfig is run.
>  auth        required      pam_env.so
> +auth       required     pam_tally.so deny=3 unlock_time=600 per_user
>  auth        sufficient    pam_unix.so nullok try_first_pass
>  auth        requisite     pam_succeed_if.so uid >= 500 quiet
>  auth        required      pam_deny.so
> [root at centos-5 pam.d]#
>
> Nota bene: Note that the GUI tools will happily 'tromp' on
> changes you make, and do not retain backups.
>
> Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac
> per:
>        man pam_tally
> at the bottom of that man page, and
>        man 8 faillog
>
> Not enough here to diagnose properly presently.

thanks both

pebkac it appears - faillog -a was producing the expected results,
what seems to be the issue is that although the syntax was correct the
location within auth-config was wrong and therefore being ignored.

your diff gave me the clue and seemingly resolved my issue - many thanks