From: Michael Folsom (mwfolsom_at_gmail.com)
Date: Tue May 22 2007 - 00:33:44 CEST
Message-ID: <ea5f6c090705211533o7b23b3a4tdbd5566a085233dc@mail.gmail.com> Date: Mon, 21 May 2007 16:33:44 -0600 From: "Michael Folsom" <mwfolsom@gmail.com> Subject: Re: [suse-sles-e] fun with pam_tally on SLES10 x86-64 SP1rc2
Marcus:
Thanks for the help......
To really make blacklisting on SLES10 work - i.e. lock both ssh and
the console after 5 login attempts, there's what I did -
set the max number to 5 with "faillog -m 5" then edit the following 3 files
-----------------------------------------------/etc/pam.d/sshd
#%PAM-1.0
#
#
auth required pam_tally.so onerr=fail deny=5
#
auth include common-auth
auth required pam_nologin.so
#
account include common-account
#
account required pam_tally.so onerr=fail deny=5
#
password include common-password
session include common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session optional pam_resmgr.so fake_ttyname
-------------------------------------------------/etc/pam.d/gnome-passwd
#%PAM-1.0
#
auth required pam_tally.so onerr=fail deny=5
#
auth include common-auth
account include common-account
#
account required pam_tally.so onerr=fail deny=5
#
password include common-password
session include common-session
------------------------------------------------/etc/pam.d/gdm
#%PAM-1.0
#
auth required pam_tally.so onerr=fail deny=5
#
auth include common-auth
account include common-account
#
account required pam_tally.so onerr=fail deny=5
#
password include common-password
session include common-session
session required pam_devperm.so
session required pam_resmgr.so
===============================
Thanks again for the help -
Michael
On 5/21/07, Marcus Meissner <meissner@suse.de> wrote:
> On Fri, May 18, 2007 at 04:15:11PM -0600, Michael Folsom wrote:
> > Folks:
> >
> > Trying to get pam_tally working on a SLES10 x86-64 SP1 rc2 box.
> >
> > I need to set it up so that blacklisting occurs - ultimately, if
> > someone tries to login and fails 5 times in a row, either at the
> > console or via ssh, I want the account to be locked. It doesn't have
> > to automagically unlocked - it just needs to lock the account.
> >
> > After a good bit of reading and exploring in pam land I edited
> > /etc/pam.d/sshd & /etc/pam.d/login to each include 2 pam_tally.so
> > lines (see files below).
> >
> > The problem is that using faillog I can see that while
> > /var/log/messages records up to a dozen sequential fail login attempts
> > the counter on faillog never increments:
> >
> > sperg:/home/mwfolsom # faillog
> > Login Failures Maximum Latest On
> > mwfolsom 0 3 05/18/07 15:47:26 -0600 ariel.mwfol
> >
> > Please note:
> > - deny=3 is set at 3 for testing purposes
> >
> > - the moment I login with the correct password faillog returns nothing
> > so somehow the fact that a failed login attempt has occurred is
> > recorded - the counter just doesn't seem to ever increment.
> >
> > - /var/log/faillog exist
> >
> > - maximum attempts were set with "faillog -m 3"
> >
> > Any ideas will be appreciated!
> >
> >
> >
> > Michael
> >
> > ........./etc/pam.d/sshd..............................
> > #%PAM-1.0
> > #
> > auth include common-auth
> > auth required pam_nologin.so
> > #
> > auth required pam_tally.so onerr=fail deny=3 per_user magic_root no_reset
>
> The pam_tally line needs to before include common-auth I think.
>
> I tested with ssh and it works for me with "onerr=fail deny=3" options.
>
> Please check /var/log/messages for PAM syslog entries.
>
> Ciao, Marcus
>
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-sles-e-unsubscribe@suse.com
For additional commands, e-mail: suse-sles-e-help@suse.com
This archive was generated by hypermail 2.1.7 : Tue May 22 2007 - 02:37:30 CEST