pam_tally2 does not lock account after the number of failed attempts.

Latest response

Hi ,

I am trying to implement the user lockout after certain number of failed login attempts in RH5.6. Here is the contents of system-auth file.

 

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_ro
ot

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_tally.so per_user deny=3 no_mag
ic_root reset

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lc
redit=-1 ucredit=-1 dcredit=-1 difok=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow remember=8
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

 

After 3 failure attempts, if i type the right password, sytem allows the user to login and reset the failure count.

 

Sree

Responses

Here's my system-auth:

%PAM-1.0

This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_tally.so per_user deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_auth
tok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so

You should only need the pam_tally directive in the auth section. "no_magic_root" does not appear to be a valid directive on the RH build of pam_tally, btw. Give that a try and let me know if that works for you.

Couple things: you might be better served to use pam_tally2 (can't remember whether they eventually linked pam_tally to pam_tally2). Secondly, unless you want EVERY auth attempt to increment your tally counters, you'll probably only want to tally-enable each service you specifically want to tally. Putting the tally modules in the system-auth file can lead to unexpected lockouts - particularly if less cluefully-designed applications are not doing calls against the PAM subsystem that well. In the services we enable tally for, we usually have things set up like:

 

auth required pam_tally2.so deny=3 onerr=fail unlock_time=NNN

 

If you're using the tally module, you'll want the unlock_time set so that you don't accidentally perma-lock accounts. It's annoying - and, many times, impractical - having to get someone with root rights to log in and do a --reset for you just because you authed too frequently in a short period of time (though, this may be more an RHEL 5 problem than an RHEL 6 problem).

 

If your reason for using the tally modules is to guard against remote password brute-forcers, you can leverage iptables for that. You can add something like:

 

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name sshtrack --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name sshtrack --rsource -j LOG --log-prefix "ssh rejection: "
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name sshtrack --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

 

To each service's associated iptables rules.