[CentOS] CentOS 5 - locking out users afer 3 failed attempts

Tue Apr 20 19:52:42 UTC 2010
R P Herrold <herrold at centos.org>

On Tue, 20 Apr 2010, Tom Brown wrote:

> I thought i could achieve this with
> auth required pam_tally.so deny=3 unlock_time=600
> in /etc/pam.d/system-auth but it seems to not be the case - I cant
> find a working config for this anywhere and i wonder if anyone has one
> they can share?

Works here

Does '/var/log/faillog' exist and is it properly writable? 
Is SELinux in play, etc?  The man page does not speak in terms 
of edits to: /etc/pam.d/system-auth but rather to: 
/etc/pam.d/login [note -- I suspect there may be a man page 
bug here ... in testing; changes to /etc/pam.d/login and some 
intentionally failed logins, do not seem to cause content to 
be added to /var/log/faillog .  Making the edit to: 
/etc/pam.d/system-auth-ac DOES cause content to be registered, 
and to show up with the 'faillog -a' command [*1] ].

/etc/pam.d/system-auth is a symlink to: 
/etc/pam.d/system-auth-ac on my C 5 box, and editting here 
seems to work just fine:

[root at centos-5 pam.d]# diff -u system-auth-ac~ system-auth-ac
--- system-auth-ac~     2010-04-20 15:46:34.000000000 -0400
+++ system-auth-ac      2010-04-20 15:46:34.000000000 -0400
@@ -2,6 +2,7 @@
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth        required      pam_env.so
+auth       required     pam_tally.so deny=3 unlock_time=600 per_user
  auth        sufficient    pam_unix.so nullok try_first_pass
  auth        requisite     pam_succeed_if.so uid >= 500 quiet
  auth        required      pam_deny.so
[root at centos-5 pam.d]#

Nota bene: Note that the GUI tools will happily 'tromp' on 
changes you make, and do not retain backups.

Did you edit /etc/pam.d/login / /etc/pam.d/system-auth-ac 
 	man pam_tally
at the bottom of that man page, and
 	man 8 faillog

Not enough here to diagnose properly presently.

-- Russ herrold

[root at centos-5 log]# faillog -a
Login       Failures Maximum Latest                   On
thomas          9        0   04/20/10 15:47:02 -0400  localhost.l
[root at centos-5 log]#