pam_tally2 does not lock account after the number of failed attempts.

Latest response

Hi ,

I am trying to implement the user lockout after certain number of failed login attempts in RH5.6. Here is the contents of system-auth file.


# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/
auth        sufficient    /lib/security/$ISA/ likeauth nullok
auth        required      /lib/security/$ISA/
auth        required      /lib/security/$ISA/ onerr=fail no_magic_ro

account     required      /lib/security/$ISA/
account     required      /lib/security/$ISA/ per_user deny=3 no_mag
ic_root reset

password    required      /lib/security/$ISA/ retry=3 minlen=8 lc
redit=-1 ucredit=-1 dcredit=-1 difok=3
password    sufficient    /lib/security/$ISA/ nullok use_authtok md5
shadow remember=8
password    required      /lib/security/$ISA/

session     required      /lib/security/$ISA/
session     required      /lib/security/$ISA/


After 3 failure attempts, if i type the right password, sytem allows the user to login and reset the failure count.




Here's my system-auth:


This file is auto-generated.

User changes will be destroyed the next time authconfig is run.

auth required
auth required per_user deny=3
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth required

account required
account sufficient uid < 500 quiet
account required

password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_auth
password required

session optional revoke
session required
session [success=1 default=ignore] service in crond quiet
session required

You should only need the pam_tally directive in the auth section. "no_magic_root" does not appear to be a valid directive on the RH build of pam_tally, btw. Give that a try and let me know if that works for you.

Couple things: you might be better served to use pam_tally2 (can't remember whether they eventually linked pam_tally to pam_tally2). Secondly, unless you want EVERY auth attempt to increment your tally counters, you'll probably only want to tally-enable each service you specifically want to tally. Putting the tally modules in the system-auth file can lead to unexpected lockouts - particularly if less cluefully-designed applications are not doing calls against the PAM subsystem that well. In the services we enable tally for, we usually have things set up like:


auth required deny=3 onerr=fail unlock_time=NNN


If you're using the tally module, you'll want the unlock_time set so that you don't accidentally perma-lock accounts. It's annoying - and, many times, impractical - having to get someone with root rights to log in and do a --reset for you just because you authed too frequently in a short period of time (though, this may be more an RHEL 5 problem than an RHEL 6 problem).


If your reason for using the tally modules is to guard against remote password brute-forcers, you can leverage iptables for that. You can add something like:


-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name sshtrack --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name sshtrack --rsource -j LOG --log-prefix "ssh rejection: "
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name sshtrack --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT


To each service's associated iptables rules.