Note I tested this by logging in as a non root user from the console:
When I add line:
auth required pam_tally2.so deny=3 onerr=fail
an alert after the third bad login is displayed on the screen stating
that the account is locked due to maximum amount of failed attempts
being reached, but I can still login.
When I add lines:
auth required pam_tally2.so deny=3 onerr=fail
account required pam_tally2.so
account include system-auth
Logins using the correct password make the screen flash and place me
back at a login prompt, incorrect logins cause the normal pause that
occurs during bad attempts before I am brought back to a login prompt.
When I add lines:
auth include system-auth
auth required pam_tally2.so deny=3 onerr=fail
account required pam_nologin.so
account include system-auth
account required pam_tally2.so
the login process regardless of the password fails after taking 5
minutes, running 'top' from another tty shows 99% cpu usage until the
login completely fails:
below is my /etc/pam.d/sys-auth file, it seems like I'm getting closer
but I'm not sure what else to configure to make it work.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth include system-auth
auth required pam_tally2.so deny=3 onerr=fail
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so
password requisite pam_cracklib.so try_first_pass
retry=3password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.sosession [success=1
default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Steve Grubb wrote:
On Monday 30 July 2007 09:53:52 C. Wilson wrote:
any ideas on how to achieve an automatic logout?
pam_tally2 is the recommended method. This is from the lspp/capp cert config
files for sshd:
auth include system-auth
auth required pam_tally2.so deny=5 onerr=fail
account required pam_nologin.so
account include system-auth
account required pam_tally2.so
<snip>
Hope this helps...
-Steve
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
