pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99
Stewart Adam
compustew at hotmail.com
Wed Mar 8 23:30:54 UTC 2006
/etc/pam.d/system-auth:
#%PAM-1.0
...
auth sufficient pam_unix.so nullok try_first_pass
...
account sufficient pam_succeed_if.so uid < 500 quiet
...
password sufficient pam_unix.so md5 nullok try_first_pass use_authtok
...
These lines are really annoyimg me know. How can I change them so that
they're no longer "sufficient" but just part of the process? (As in so that
the auth doesn't stop there and so that pam_tally has an effect)
Firewing1
-----------------------------------------------------------------------------------------
My web site:
http://www.nongnu.org/script-wing
>From: Darren Tucker <dtucker at zip.com.au>
>Reply-To: dtucker at zip.com.au,Pluggable Authentication Modules
><pam-list at redhat.com>
>To: Pluggable Authentication Modules <pam-list at redhat.com>
>Subject: Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam
>0.99
>Date: Mon, 6 Mar 2006 15:07:00 +1100
>
>On Sun, Mar 05, 2006 at 11:30:57AM -0500, Stewart Adam wrote:
> > /etc/pam.d/systam-auth file:
> > -- start --
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth required pam_deny.so
>
>[...]
> > Do I have to change them to "Required"?
>
>Just blindly changing "sufficient" to "required" won't do what you
>want since the "required pam_deny.so" will mean that you will end up
>disallowing all authentications.
>
> > Or would I be able to make it so that I tell my system to use pam_tally
> > for everything, but it will only block SSH?
>
>The safest thing to do is probably constructing a sshd PAM config
>file that does what you want starting with a copy of system-auth.
>Something like this for the auth section ought to work (untested):
>
>auth required pam_env.so
>auth required pam_unix.so nullok try_first_pass
>auth required pam_tally.so
>auth requisite pam_succeed_if.so uid >= 500 quiet
>
>--
>Darren Tucker (dtucker at zip.com.au)
>GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the experience
>usually comes from bad judgement.
>
>_______________________________________________
>Pam-list mailing list
>Pam-list at redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
More information about the Pam-list
mailing list