ftp/sftp user account lockout threshold
Bill Tangren
bjt at usno.navy.mil
Tue Jul 24 14:25:36 UTC 2007
Johan Booysen wrote:
> Hi,
>
> Thanks for your reply.
>
> I find using pam modules a bit confusing at the moment. Does anyone
> know of a good example on how to use pam_tally in this way?
>
> Thanks.
>
> Johan
>
Add these lines to /etc/pam.d/system-auth
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
Next, make a faillog:
# touch /var/log/faillog
Also, make sure /etc/pam.d/xscreensaver does not call system-auth, or you will
not be able to unlock your screensaver. This is because xscreensaver doesn't
have the rights to write to the faillog. I copied the contents of system-auth
and put it in xscreensaver, and then I removed the pam_tally lines. Overkill
probably, but it works for me.
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Bill Tangren
> Sent: 23 July 2007 16:09
> To: General Red Hat Linux discussion list
> Subject: Re: ftp/sftp user account lockout threshold
>
> Johan Booysen wrote:
>> Dear all,
>>
>> Does anyone know if it's possible to set up a vsftpd and/or sftp
>> server so that (for example) after 3 unsuccessful logon attempts, a
>> user's account is locked out or disabled?
>>
>> I've done a bit of quick googling on this issue, but have come up
>> empty so far.
>>
>> Thanks very much.
>>
>> Johan
>>
>
> pam can use pam_tally to do this.
>
More information about the redhat-list
mailing list