pam tally and faillog questions
Chris Stankaitis
chris at beowulf.net
Fri Apr 16 19:01:23 UTC 2004
Hi All,
I posted this to the RH PAM list in January, since then I have not seen
a SINGLE message to that list so I must assume it's dead. I am going to
re-ask here in the hopes that we have some pam guru's around.
I was able to get pam_tally.so working but there are a couple of loose
ends I need help tying up
1) pam.d/xscreensaver - this only calls the AUTH section of system-auth
not the account section so my pam_tally counts, but because there is no
account section to take care of the reset on a good login xscreensaver
will never lock the account, but what it will do is create a situation
where you lock your ability to login through SSH/Shell etc as each time
you use xscreensaver it up's your tally but never resets it...
My work around was to just copy the auth section of system auth to the
pam.d/xscreensaver, remove the tally stuff and bypass pam_tally all
together for the screensaver.. I tried seeing if I could get
xscreensaver to use an account required line but it didn't seem to want
to take that.
Is there a better work around then what I have done? is there a proper
way to get these two to play well together
2) is there a way to get pam_tally/faillog to unlock an account after XX
mins... I have hacked together a bash script to do this but I would
prefer to use native capabilities if they exist
3) This is my big problem... I have set tally to deny after X attempts..
and it works... kinda... it seems like faillog or something is ignoring
the deny= line in my pam account section.. when I first do a faillog
after turning on the tally I get the normal output however it doesn't
seem to catch the deny and populate that to the Maximum... so if my deny
is set to 4 when I first do a faillog the Maximum is set to 0, I
manually do a faillog -m 4 and that fixes the problem for all the
current users on the box however when users are added to the box their
maximum is zero.
Why isn't faillog reading the deny=X from my account requires line and
setting the maximum based on that?
for new users is there a login.defs value required to set the maximum on
account creation??
For Reference here are the relevant tally lines of my system-auth file.
I am running RHEL 3, and FC1
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so no_magic_root
onerr=fail
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
auth required /lib/security/$ISA/pam_warn.so
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so no_magic_root
deny=6 reset
More information about the fedora-list
mailing list