Thursday, October 27, 2005

PAM Bugs?

I can't get pam_tally to work on one of my machines. Paul is having the same issue IMO. So far there hasn't been a reply. Paul, if I find something (third party tool) I will certainly let you know.

Meanwhile I am getting frustrated over trying to do the same thing on RHEL 3 ES.



root at localhost> vi /etc/pam.d/system-auth
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=5 no_magic_root reset

root at localhost> touch /var/log/faillog

root at localhost> pam_tally




I have been trying to get Fedora Core 2 & 3 on a stand-alone Gx260 to lock
user accounts when the passwd has been put in wrong 5 times.
root at localhost> vi /etc/pam.d/system-auth
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=5 no_magic_root reset

root at localhost> touch /var/log/faillog

root at localhost> pam_tally

I was able to login as a user and lock my screen and unlock it before
pam_tally.so was introduces.
Now that I have the above in and have tried to login 6 times with the wrong
passwd, it will not except the correct passwd.

I looked at the /etc/shadow file and I do not have an "!" in front of the
encryption which if it was there I would be locked out.

Also I brought up the User & Group Gui and the box is not checked as being a
locked account.

I have changed the passwd using passwd as root and in the Gui as
root. I still cannot login in as the user.

If I comment out the two pam_tally.so lines in the /etc/pam.d/system-auth file
I have no problem logging in as this user.

I have read in a number of Fedora web sites that the pam_tally.so has a bug
and have not found a fix any where.

Is there another 3rd party software that will lock a user account after the
default number of tries have been reached.

Thanks in advance.

Paul A. Boland
IT System Engineer Admin-Unix
IAD -Information Assurance Division
General Dynamics C4 Systems



Linux Managers

Here is another notice of the same issue

About the pam_tally and openssh : those options do not woth with the current version from the portage. Syslog reports with each login:

PAM

The errors I keep getting


pam_tally[9154]: pam_tally: unknown option; deny=2
pam_tally[9154]: pam_tally: unknown option; lock_time=300
pam_tally[9154]: pam_tally: unknown option; unlock_time=600
sshd(pam_unix)[9159]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=mmm.mmm user=root



And obviously the damn deny counter doesn't works.
Time to move on!

More PAM tutorial

by Frank @ 11:41 AM   0 comments

0 Comments:

Post a Comment

<< Home