Gettring Started
Jason Gerfen
jason.gerfen at scl.utah.edu
Thu Sep 23 18:20:10 UTC 2004
Always reply to ALL...
also is the below a typo?
Terry Orgill wrote:
>I may not have a clue about PAM, but it would seem that for the functions I
>need, the files I need to modify in pam.d are login and passwd. I have no
>need for the functionality in ftp, etc. What I have currently in login:
>
>auth required /lib/security/pam_securetty.so
>auth required /lib/security/pam_nologin
>auth required /lib/security/pam_tally.so deny=3 reset
>auth required /lib/security/pam_stack.so service=system-auth
>
>
service=system.auth? should be system-auth correct?
>account required /lib/security/pam_stack.so service=system.auth
>account required /lib/security/pam_tally.so deny=3 reset
>password required /lib/security/pam_stack.so service=system-auth
>password required /lib/security/pam_tally.so deny=3 reset
>session required /lib/security/pam_stack.so service=system-auth
>session required /lib/security/pam_console.so
>
>I may be out in left field with this. The one thing is seemed obvious I
>needed was pam_tally.so deny=3 reset. Everything else was a mixture of
>whatever was already in there and experimentation. With the above
>configuration I can make 4 attempts before it disconnects the telnet
>session, but then I can go right back in, use the correct password and get
>in.
>
>passwd:
>
>auth required /lib/security/pam_pwdb.so shadow nullok
>account required /lib/security/pam_pwdb.so
>password required /lib/security/pam_cracklib.so minlen=6 retry=3
>password required /lib/security/pam_pwdb.so use_authtok nullok md5
>shadow
>
>
>
the minlen=6 should work like you need, however you are stating that
after less than a minute or 3 bad attempts you may still login correct?
>This configuration does hold me to a minimum of 6 characters, but I can
>reuse passwords.
>----- Original Message -----
>From: "Jason Gerfen" <jason.gerfen at scl.utah.edu>
>To: "Terry Orgill" <terry at stribus.com>; "Pluggable Authentication Modules"
><pam-list at redhat.com>
>Sent: Thursday, September 23, 2004 10:32 AM
>Subject: Re: Gettring Started
>
>
>
>
>>Terry Orgill wrote:
>>
>>
>>
>>>I am urgently trying to get PAM working for a customer (RH 7.1, PAM
>>>0.77) that is about to undergo a security audit. I need password
>>>expiration, minimum password length, no reuse of passwords, lockout of
>>>users after three unsuccessful attempts to login, one session only for
>>>users. I have the one session part working
>>>(/etc/security/limits.conf), but nothing else will. I am using
>>>pam_cracklib.so, pam_pwdb.so for the password part. I am using
>>>pam_tally.so for the login part. It just ignores me. I did manage to
>>>get a user locked out by substituting pam.conf for pam.d, but then I
>>>could not get the user unlocked. If I run pam_tally --user<username>
>>>it always returns a 0 for unsuccessful attempts no matter how many
>>>there are. I know this stuff must work, but I am having a hell of a
>>>time figuring it out. HELP!
>>>
>>>------------------------------------------------------------------------
>>>
>>>_______________________________________________
>>>Pam-list mailing list
>>>Pam-list at redhat.com
>>>https://www.redhat.com/mailman/listinfo/pam-list
>>>
>>>
>>>
>>Could you include the list of services you are needing to setup these
>>specifications for (i.e. ftp, login, etc.)
>>
>>Also send the current configuration setup in your pam.d/ directory for
>>each of the services you need to use PAM for?
>>
>>--
>>Jason Gerfen
>>
>>"And remember... If the ladies
>> don't find you handsome, they
>> should at least find you handy..."
>> ~The Red Green show
>>
>>
>
>
>
--
Jason Gerfen
Student Computing
Marriott Library
801.585.9810
jason.gerfen at scl.utah.edu
"And remember... If the ladies
don't find you handsome, they
should at least find you handy..."
~The Red Green show
More information about the Pam-list
mailing list