Hello dear Suse-community.
Currently I am supposed to create a basic-configuration for a SLES11 system. I Originally used OpenSuse 11.3 for testing, but I had to start to configure the actual system as well. So I downloaded SLES11 as test-version and started to configure both systems.
The Problem right now is following: I am completely unable to setup pam to lock a useraccount after 5 failed logins. I’ve already searched the “whole” web for the last 4 days, but without success.
If I put the example of the pam_tally manpage into /etc/pam.d/login and set it up via faillog -u user -m 5, then it won’t do anything.
If I just put auth required pam_tally2.so deny=5 into /etc/pam.d/common-auth, then it will lock the account, but it neither will let me unlock it nor show me something with faillog -a.
The last thing I tried is inserting auth required pam_tally2.so deny=5 onerr=fail per_user no_lock_time and account required pam_tally2.so in /etc/pam.d/login
Again nothing.
I’ve most certainly tried many other ways which I already forgot about.
I really hope, that all the Problem is just a little error I just don’t see.
reg
Victor
On 03/22/2011 03:06 PM, Victor Van Doom wrote:
>
> Currently I am supposed to create a basic-configuration for a SLES11
> system. I Originally used OpenSuse 11.3 for testing, but I had to start
> to configure the actual system as well. So I downloaded SLES11 as
> test-version and started to configure both systems.
you are welcome to seek advice here, but BE ADVISED that many of the
answers might be from folks who have never run SLES (or maybe never
even heard of it before) and you are likely much better off if you
seek assistance from the Novell forums, via: http://forums.novell.com
and, though the two products are related, they are NOT the same…most
folks here are using openSUSE 11.3 or 11.4, and SLES11 is based on the
openSUSE 11.0 version and then updated…so, there are many
differences…and, many similarities but you can’t (for example) set
up 11.3 exactly like you want it and then expect to be able to follow
the same steps to have SLES11 as you wish…
in my opinion: best to ask here about openSUSE and forums.novell.com
about SLES…
–
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.1.8, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11
@DenverD
Thank you for this advice, I will keep this in mind for the next time :-). In that case it doesn’t really make a difference, cause the config can be applied to both (except a little difference in the syslog-daemon, which is syslog-ng there). Frankly I believe, that if I can manage to get the pam running in OS11.3 then I might figure out the problem in SLES11.
On 03/23/2011 09:06 AM, Victor Van Doom wrote:
>
> I believe, that if I can manage to get the pam running in OS11.3
> then I might figure out the problem in SLES11.
i’m afraid i’m not much help, but maybe there is something in one of
these that will get you going in the right direction (while waiting a
real pam guru to happen by):
“Authentication with PAM”
http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/cha.pam.html
(note: i’ve not looked at the man, and don’t know if this is more or
less useful…i just guess it might be…for example, it seems you
are doing all the setups directly/manually and i didn’t see you write
anything about trying the pam-config tool and it didn’t work for you)
other documentation in /usr/share/doc/packages/pam
and, other potential ideas here:
http://tinyurl.com/47kenqu
http://www.google.com/search?q=site%3Aopensuse.org+pam+setup
hopefully the real guru comes soon, or the solution appears in reading
(a possibility i can not promise will happen)
oh, and don’t forget: i would guess a real guru is in the SLES
forum, and willing to help during your trial period…
–
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.1.8, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11
I’ve got the idea to use pam-config aswell, but unfortunately it does not support the pam_tally.so or pam_tally2.so module 
Little addition: I’ve now tried an other approach to track down the problem in OS11.3 and SLES11 alike. I inserted following lines into /etc/pam.d/login:
auth required pam_tally2.so onerr=fail no_magic_root
account required pam_tally2.so per_user deny=3 no_magic_root reset
After that, I activated the pam debug-tool. Or at least I tried. pam-config --add --login-debug should activate debugging, but it doesn’t seem to know the command (in reference to the opensuse doc link above). Then I added pam_debug via touch to /etc. But it “ain’t logging nothing”.
On 03/23/2011 03:06 PM, Victor Van Doom wrote:
> but it doesn’t
> seem to know the command (in reference to the opensuse doc link above).
hmmmmm…maybe the doc i grabbed in haste is built for 11.4, i do not
know for sure…
or, perhaps you path is messed up, or your system is missing
pam-config (it is available via YaST), or maybe you were not root in
your terminal prior to calling pam-config…my 11.3 knows the command
when root calls it so i can’t imagine why your’s can’t…
see if you can track that down…
–
DenverD
CAVEAT: http://is.gd/bpoMD
[NNTP posted w/openSUSE 11.3, KDE4.5.5, Thunderbird3.1.8, nVidia
173.14.28 3D, Athlon 64 3000+]
“It is far easier to read, understand and follow the instructions than
to undo the problems caused by not.” DD 23 Jan 11
Ok, at least I’ve solved the problem with pam-config. It really was a a messed up link :rolleyes: .
pam-config is working now, but still no modul for pam_tally or debug.