RHEL6 pam_tally2 lockouts

Johan Booysen johan at matrixsolutions.co.uk
Tue Jan 11 13:11:44 UTC 2011 

Paul - thanks very much for your reply.

My understanding was that it should go into the /etc/pam.d/system-auth
file, but I've tried it in the /etc/pam.d/sshd file and it seems to work
in terms of logging failed logon attempts in /var/log/tallylog, e.g.

Login           Failures Latest failure
test                6    01/11/11 12:04:23

However, the account does not get locked out after the specified 3
number of logon attempts mentioned on the following line:
auth       required     pam_tally2.so deny=3 onerr=fail

The pam_tally2 man page mentions:

deny=n	Deny access if tally for this user exceeds n.

Anyone have any idea why the account doesn't get locked?

Regards,

Johan

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Mr. Paul M. Whitney
Sent: 10 January 2011 17:50
To: General Red Hat Linux discussion list
Subject: Re: RHEL6 pam_tally2 lockouts

Have you tried putting the entries in /etc/pam.d/ssh instead of
system-auth?


Paul W.


On Jan 10, 2011, at 10:40, Johan Booysen <johan at matrixsolutions.co.uk>
wrote:

> I'm trying to set up a RHEL6 server for sftp access only.  So far it
> works very well, but I can't seem to get pam_tally2 set up to lock
user
> accounts after so many unsuccessful login attempts.
> 
> 
> 
> As far as I could find out, it should work if I add the following
lines
> to /etc/pam.d/system-auth:
> 
> 
> 
> Last line in the auth section:
> 
> auth        required      pam_tally2.so deny=3 onerr=fail
> 
> 
> 
> Last line in the account section:
> 
> account     required      pam_tally2.so
> 
> 
> 
> According to the pam_tally2 man page this should log failed attempts
in
> /var/log/tallylog, but when I deliberately log in with nonsense
> usernames/password, I get absolutely nothing in the tallylog file.
> Hence running the pam_tally2 command with no options produces no
> results.
> 
> 
> 
> /var/log/secure shows me entries such as:
> 
> 
> 
> Jan 10 15:16:26 rhel6 sshd[1918]: Failed password for test from
> 192.x.x.x port 4467 ssh2
> 
> Jan 10 15:16:29 rhel6 sshd[1918]: Failed password for test from
192.x.x.
> port 4467 ssh2
> 
> Jan 10 15:16:29 rhel6 sshd[1919]: Disconnecting: Too many
authentication
> failures for test
> 
> Jan 10 15:16:29 rhel6 sshd[1918]: PAM 1 more authentication failure;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=mc23.xxxxx.int  user=test
> 
> 
> 
> In /etc/ssh/sshd_config I've got
> 
> 
> 
> UsePAM yes
> 
> PasswordAuthentication yes
> 
> ChallengeResponseAuthentication no
> 
> 
> 
> I might be missing something silly here, so I'd really appreciate any
> advice on getting this to work on Red Hat Enterprise Linux 6.
> 
> 
> 
> Thanks.
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list