[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Password expiration and pam_tally questions



I did a search in the egroups pam-list archives for password
expiration. It appears that it is possible to force users to change their
passwords when they expire, but it didn't say two things:
1) What lines to add/modify in what pam files to force to change their
passwords
2) What lines to modify in what files to set the duration a password can
be used before it expires.

I am having problems with pam_tally not working for ssh,ftp, telnet.  I am
using pam-0.72 on RedHat 6.2, telnet-server-0.16-6.rpm,
openssh-server-2.1.1p2, and proftpd-1.2.0.  I know openssh and proftpd are
compiled with pam support, the redhat telnet server I don't know, although
it claims to run /bin/login by default.

The only thing it appears to work with is login, although I modified the
sshd and ftp file the same as login below:
#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_tally.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_tally.so deny=5 reset
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5
shadow
session    required     /lib/security/pam_pwdb.so
session    optional     /lib/security/pam_console.so

So if telnetd runs /bin/login, how come if I run /bin/login as a user the
tally function works, but if I login via telnet it doesn't ?  Also, is
there some kind of sshd bug I don't know about, and what about ftp ?
What should the permissions be on /var/log/faillog and what user:group
should own it ?


Thanks,


----------------
Running on Linux 2.4
Michael A. Dietz
mad099@dietznet.net





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []