Results 1 to 10 of 10

Thread: Linux-PAM configuration - Lock after invalid login attempts

  1. #1

    Default Linux-PAM configuration - Lock after invalid login attempts

    Hello everyone

    I am trying to configure PAM in OpenSuSE 11.1 to block access to users
    after 5 attempts to access invalid, but the configuration I did not
    working after 5 invalid attempts the user is not locked, it continues
    logging in normally follows below my configuration files.

    # /etc/pam.d/common-auth
    auth requerid pam_env.so
    auth optional pam_ssh.so debug
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth required pam_deny.so
    auth required pam_tally2.so deny=5 magic_root file=/var/
    log/tallylog
    auth required pam_unix2.so debut

    # /etc/pam.d/common-password
    password required pam_unix2.so debug

    # /etc/pam.d/common-session
    session required pam_limits.so
    session required pam_unix2.so debug
    session optional pam_umask.so
    session optional pam_env.so
    session optional pam_ssh.so debug

    # /etc/pam.d/common-account
    account required pam_unix2.so debug

    could someone explain to me how do I block pam User, the User aah so
    theoretically could be released by root after blocked.

    very grateful.

  2. #2
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    On 10/07/2011 03:16 PM, ajmoreti wrote:
    >
    > I am trying to configure PAM in OpenSuSE 11.1


    -=welcome=- new poster, but openSUSE 11.1 is past its end of life (see
    http://en.opensuse.org/Lifetime)...so, perhaps you have SUSE Linux
    Enterprise which _is_ still supported?

    please show us the terminal output from

    Code:
    cat /etc/issue
    --
    DD
    openSUSE®, the "German Automobiles" of operating systems

  3. #3

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    Hi, my OpenSuSE is not SLES , is OpenSuSE 11.1 , already installed on my server for some time.

    my issue is modified, personalities, so my motd.

    I'm already trying to solve this problem already 15 days,

  4. #4
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    >
    > I'm already trying to solve this problem already 15 days,


    as said openSUSE 11.1 has past its end of life, however there is a best
    effort project to keep it alive....via the project named Evergreen..

    you can use the Evergreen repos to get the vital security updates needed
    to keep your 11.1 safe....and, there is a project mailing list, but i
    don't know if they can give the kind of help you are seeking...

    i know i can't help, perhaps a 11.1/PAM guru will come by and know what
    the problem is--we can both hope so,....in the mean time you might have
    a look at what is available via Evergreen....i mean, _maybe_ you are
    fighting against a know problem which was patched just 14 days
    ago...have you checked bugzilla??

    check Evergreen here: http://tinyurl.com/4aflkpy
    there you will find a link to the mail list..

    and, check back here too...a guru might come through any second!

    --
    DD
    openSUSE®, the "German Automobiles" of operating systems

  5. #5
    Join Date
    Jan 2009
    Location
    43.009 N, 73.172 W
    Posts
    189

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    I always hated working with PAM modules, but with patience you'll get it working. It appears you left out the line in the account section. Follow this guide
    Box: Home Built | Intel Core2 @2.4 GHz | 6 GB | OpenSUSE 11.4| KDE 4.6.0 r6| nVidia GeForce 7300 GT

  6. #6

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    follow the tips of the guide that I sent, however did not work, still having problem

  7. #7
    Join Date
    Jan 2009
    Location
    43.009 N, 73.172 W
    Posts
    189

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    You may need to reboot for the config file to be read correctly. One reason I disliked PAM is that the order of the entries in the config file must be correct, and any slight deviation will result in errors and it just won't work. Change the order of your directives in the config file and keep trying. Check the syslog for hints as to what the problem might be. Keep syslog file open in one terminal and try logging in in another terminal to see what is going on.

    Paste your changes to the pam config here.

    You also should take the advice to upgrade to a newer version of OpenSuse.
    Box: Home Built | Intel Core2 @2.4 GHz | 6 GB | OpenSUSE 11.4| KDE 4.6.0 r6| nVidia GeForce 7300 GT

  8. #8

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    understand

    already I've been following in the terminal with the command tail-f /var/log/messages.
    however not returning errors

    my configurations files following:

    # common-account
    account required pam_unix.so
    account required pam_unix2.so debug
    account required pam_succeed_if.so uid < 1000 quiet
    account required pam_permit.so

    # common-auth
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid>= 1000
    auth required pam_deny.so
    auth optional pam_ssh.so debug
    auth required pam_unix2.so debug

    # common-password
    password requiste pam_cracklib.so debug try_first_pass retry=3 difok=0 minlen=6 dcredit=1 ucredit=1 lcredit=1 ocredit=0
    password required pam_unix2.so use_authtok debug
    password sufficient pam_unix.so md5 shadow nullok try_first_pass
    password required pam_deny.so

    # common-session
    session required pam_limits.so
    session required pam_unix2.so debug
    session optional pam_umask.so
    session optional pam_env.so
    session optional pam_ssh.so debug
    session optional pam_keyinti.so revoke
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

  9. #9
    Join Date
    Jan 2009
    Location
    43.009 N, 73.172 W
    Posts
    189

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    Are you sure that's the latest config file? The original one you posted had a line for pam_tally2, this one does not have any lines for pam_tally2.

    Also, the common-account section should be at the bottom. Are you paying any attention at all? You should have two lines with pam_tally2. I don't know what else I can do to help you, unless you want me the write out the entire file for you? And that I will not do.

    I'm done.
    Box: Home Built | Intel Core2 @2.4 GHz | 6 GB | OpenSUSE 11.4| KDE 4.6.0 r6| nVidia GeForce 7300 GT

  10. #10

    Default Re: Linux-PAM configuration - Lock after invalid login attempts

    Yes, the last file is my setup, I apologize for not explaining better.

    Really had to first file posted online pam_tally2, but as I'm setting the cracklib module, this module just removing the line with pam_tally2, need to set the minimum password length, as well as special characters and numbers, when I used the pam-config command to add the module to the cracklib , the system returned a warning that the pam_tally2 conflict with cracklib and oust the.

    I apologize for my English.
    I'm having difficulties enterd pam, and documents I have found are not helping me much.
    but I will not give up.
    I am very grateful for the help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •