So a Gov't STIG has had me add to /etc/pam.d/password-auth:

auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900 auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
account     required      pam_faillock.so

So that it looks like this:

auth        required      pam_env.so
auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
auth        sufficient    pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

and now IPA users get a permission denied. Local users can still log in.

I'm not even sure where to start . . .

Thanks for any hints and help!

/R

Matthew

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to