[linuxtechbiz] How do I lock out a user after a set number of login attempts?

Tue, 06 Feb 2007 14:00:50 -0800 

http://www.redhatmagazine.com/2007/01/25/how-do-i-lock-out-a-user-after-\
a-set-number-of-login-attempts/

Version: Red Hat® Enterprise Linux® 3 and 4
The PAM (Pluggable Authentication Module) module pam_tally keeps track
of unsuccessful login attempts then disables user accounts when a preset
limit is reached. This is often referred to as account lockout.

To lock out a user after 4 attempts, two entries need to be added in the
/etc/pam.d/system-auth file:
auth        required        /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root
account     required        /lib/security/$ISA/pam_tally.so deny=3
no_magic_root reset
The options used above are described below:

    * onerr=fail
If something strange happens, such as unable to open the file, this
determines how the module should react.
    * no_magic_root
This is used to indicate that if the module is invoked by a user with
uid=0, then the counter is incremented. The sys-admin should use this
for daemon-launched services, like telnet/rsh/login.
    * deny=3The deny=3 option is used to deny access if tally for this
user exceeds 3.
    * reset
The reset option instructs the module to reset count to 0 on successful
entry.

See below for a complete example of implementing this type of policy:
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root auth        sufficient    /lib/security/$ISA/pam_unix.so
likeauth nullok auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so account    
required      /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
password    requisite     /lib/security/$ISA/$ISA/pam_cracklib.so
retry=3 password    sufficient    /lib/security/$ISA/$ISA/pam_unix.so
nullok use_authtok md5 shadow password    required     
/lib/security/$ISA/$ISA/pam_deny.so  session     required     
/lib/security/$ISA/$ISA/pam_limits.so session     required     
/lib/security/$ISA/$ISA/pam_unix.so
For more detailed information on the PAM system please see the
documentation contained under /usr/share/doc/pam-<version>

For information on how to unlock a user that has expired their deny
tally see additional Knowledgebase articles regarding unlocking a user
account and seeing failed logins with the faillog command.

Reply via email to