pam_tally question


Results 1 to 3 of 3

Thread: pam_tally question

  1. #1
    Join Date
    May 2001
    Location
    Arlington, VA
    Posts
    55

    pam_tally question

    hey all,
    I am trying to get the pam_tally.so and faillog modules to work on my RH7.3 system.

    They were working for the login service, but recently we switched to the ssh service (in lieu of telnet) and it stopped tallying failed logins.

    I tried putting the same lines into the system-auth pam config file, but now it tallies the failures, but does not reset on a success.

    Where should I put the pam_tally lines in the system-auth file, so I can monitor and lock out every service (if 5 failures occur).

    Thanks,
    ac

  2. #2
    Join Date
    Mar 2005
    Location
    US
    Posts
    300
    I know this is an old thread, but thought I'd update it for the benefit of others.

    I know this works for CentOS 5.5 (Final).

    I recommend creating a 'test' user to try it out.

    This will lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0, you can change this to suit - see 'man pam_tally'

    To show failed logins at /var/log do 'faillog -a'

    Add the line 'auth required pam_tally.so onerr=fail deny=3 unlock_time=60 ' after the line 'auth required pam_env.so' - the order is crucial, it doesn't work correctly if you place it out of order.

    Add the line 'auth required pam_env.so'

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth required pam_tally.so onerr=fail deny=3 unlock_time=60 <===== add this line here
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so

    account required pam_unix.so
    account sufficient pam_succeed_if.so uid < 500 quiet
    account required pam_permit.so
    account required pam_tally.so reset <===== add this line here

    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    Last edited by fishface; 06-22-2011 at 12:24 PM.

  3. #3
    Join Date
    Mar 2005
    Location
    US
    Posts
    300
    Update:

    NOTE: CentOS-6.0 works a differently, it uses pam_tally2.so, you have to modify the /etc/pam.d/sshd file to block SSH access, also no_magic_root and no_reset options are not available in pam_tally2.so. From my brief testing, pam_tally2.so works as expected for user accounts, but one thing I noticed is that pam_tally2.so does not reset the number of failed attempts for failed root logins if you have configured the sshd_config file to 'PermitRootLogins no' (I always block root access via SSH) - this maybe by design, but I'm not certain.

    pam_tally2.so configuration for CentOS-6.0

    #&#37;PAM-1.0
    auth required pam_sepermit.so
    # pam_tally2.so configured to lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0
    # To show failed logins at /var/log do 'pam_tally2 -u username'
    auth required pam_tally2.so onerr=fail deny=3 unlock_time=30 <===== add this line here
    auth include password-auth
    account required pam_nologin.so
    account required pam_tally2.so <===== add this line here
    account include password-auth
    password include password-auth
    # pam_selinux.so close should be the first session rule
    session required pam_selinux.so close
    session required pam_loginuid.so
    # pam_selinux.so open should only be followed by sessions to be executed in the user context
    session required pam_selinux.so open env_params
    session optional pam_keyinit.so force revoke
    session include password-auth

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •