PAM faillock and sssd
Bryan Harris
bryanlharris at me.com
Fri Jun 7 17:12:54 UTC 2013
Hi Tomas,
Thanks again for your help.
On Jun 06, 2013, at 01:44 PM, Tomas Mraz <tmraz at redhat.com> wrote:
On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote:
>
> I have removed the 3rd line, and I have placed the account line at the
> beginning of the account section. For some reason now, faillock does
> not increment new failures for my users. Any ideas?
I'd have to see your current PAM config to tell. Also you need to
examine the failures before you login successfully with that user -
because the account required pam_faillock.so will reset the failures
once the user successfully authenticates.
In my file below, I changed the sssd line back to sufficient instead of the stuff I had placed in it before. When I do a failed login for my sssd account, it does not any longer increment the counter for me (Yay!).
However, in my testing, I'm trying to login as root but the counter is not incrementing. I've tried both using ssh as well as using the consoles. Each time I just type a bunch of wrong letters for my root user password, but my counters don't change. In fact I don't even see the root counter any more. I wonder if I've broken the faillock mechanism...?
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth requisite pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=900
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900 fail_interval=900
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 maxrepeat=3
password sufficient pam_sss.so use_authtok
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20130607/da0cea86/attachment.htm>
More information about the Pam-list
mailing list