Monday, February 5, 2007

How to lock out a user after a set number of login attempts?

The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout.

To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:

auth        required        /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account     required        /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset

The options used above are described below:

  • onerr=fail
    If something strange happens, such as unable to open the file, this determines how the module should react.
  • no_magic_root
    This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.
  • deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.
  • reset
    The reset option instructs the module to reset count to 0 on successful entry.

See below for a complete example of implementing this type of policy:

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so
onerr=fail no_magic_root auth        sufficient   
/lib/security/$ISA/pam_unix.so likeauth nullok auth        required     
/lib/security/$ISA/pam_deny.so  account     required     
/lib/security/$ISA/pam_unix.so account     required   
/lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
password    requisite   
/lib/security/$ISA/$ISA/pam_cracklib.so retry=3 password    sufficient   
/lib/security/$ISA/$ISA/pam_unix.so nullok use_authtok md5 shadow password    required     
/lib/security/$ISA/$ISA/pam_deny.so  session     required     
/lib/security/$ISA/$ISA/pam_limits.so session     required    
/lib/security/$ISA/$ISA/pam_unix.so

For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-<version>

For information on how to unlock a user that has expired their deny tally see additional Knowledgebase articles regarding unlocking a user account and seeing failed logins with the faillog command.

Read More

By: Parth Barot @ 11:41 AM  

Categories: , , ,

0 Comments:

Post a Comment

Subscribe to: Post Comments (Atom)