[Freeipa-users] Can't login with on client after password-auth modification
Matthew Carter
redbranchwarrior at gmail.com
Tue Oct 25 19:16:52 UTC 2016
So a Gov't STIG has had me add to /etc/pam.d/password-auth:
auth required pam_faillock.so preauth silent deny=3 unlock_time=604800
fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900
account required pam_faillock.so
So that it looks like this:
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=3 unlock_time=604800
fail_interval=900
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
and now IPA users get a permission denied. Local users can still log in.
I'm not even sure where to start . . .
Thanks for any hints and help!
/R
Matthew
More information about the Freeipa-users
mailing list