[Freeipa-users] Can't login with on client after password-auth modification
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 25 19:34:52 UTC 2016
On ti, 25 loka 2016, Matthew Carter wrote:
>So a Gov't STIG has had me add to /etc/pam.d/password-auth:
>
>auth required pam_faillock.so preauth silent deny=3 unlock_time=604800
>fail_interval=900
>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
>fail_interval=900
>account required pam_faillock.so
>
>So that it looks like this:
>
>auth required pam_env.so
>auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900
>auth sufficient pam_unix.so nullok try_first_pass
>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
>auth requisite pam_succeed_if.so uid >= 500 quiet
>auth required pam_deny.so
>
>account required pam_faillock.so
>account required pam_unix.so
>account sufficient pam_localuser.so
>account sufficient pam_succeed_if.so uid < 500 quiet
>account required pam_permit.so
>
>and now IPA users get a permission denied. Local users can still log in.
>
>I'm not even sure where to start . . .
You don't have pam_sss.so anywhere so any IPA password check could not
be done, only pam_unix.so which checks /etc/passwd or /etc/shadow.
Then you'd need to wrap pam_sss use in 'auth' with pam_faillock.so too:
pam_faillock.so preauth
pam_sss.so ....
pam_faillock.so authfail
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list