Gettring Started

Jason Gerfen jason.gerfen at scl.utah.edu
Thu Sep 23 18:33:40 UTC 2004 

Terry Orgill wrote:

>The requirement is that after 3 unsuccessful attempts to login, the user is
>locked out for fifteen minutes before new attempts are allowed.  I think PAM
>provides for the lockout, but not the fifteen minutes.  I was going to setup
>a crontab script to run every fifteen minutes and unlock anyone that is
>locked.  That will suffice.  What am I doing wrong that the user is not
>locked out after 3 attempts?
>----- Original Message -----
>From: "Jason Gerfen" <jason.gerfen at scl.utah.edu>
>To: "Terry Orgill" <terry at stribus.com>; "Pluggable Authentication Modules"
><pam-list at redhat.com>
>Sent: Thursday, September 23, 2004 11:20 AM
>Subject: Re: Gettring Started
>
>
>  
>
>>Always reply to ALL...
>>
>>also is the below a typo?
>>
>>Terry Orgill wrote:
>>
>>    
>>
>>>I may not have a clue about PAM, but it would seem that for the functions
>>>      
>>>
>I
>  
>
>>>need, the files I need to modify in pam.d are login and passwd.  I have
>>>      
>>>
>no
>  
>
>>>need for the functionality in ftp, etc.  What I have currently in login:
>>>
>>>auth            required    /lib/security/pam_securetty.so
>>>auth            required    /lib/security/pam_nologin
>>>auth            required    /lib/security/pam_tally.so deny=3 reset
>>>auth            required    /lib/security/pam_stack.so
>>>      
>>>
>service=system-auth
>  
>
>>>      
>>>
>>service=system.auth? should be system-auth correct?
>>
>>    
>>
>>>account        required    /lib/security/pam_stack.so service=system.auth
>>>account        required    /lib/security/pam_tally.so deny=3 reset
>>>password    required    /lib/security/pam_stack.so service=system-auth
>>>password    required    /lib/security/pam_tally.so deny=3 reset
>>>      
>>>
try this...
other than that i have no other suggestions, any references to other 
people using it have turned up the following line

password    required    /lib/security/pam_tally.so no_magic_root deny=3 reset

>>>session        required    /lib/security/pam_stack.so service=system-auth
>>>session        required    /lib/security/pam_console.so
>>>
>>>I may be out in left field with this.  The one thing is seemed obvious I
>>>needed was pam_tally.so deny=3 reset.  Everything else was a mixture of
>>>whatever was already in there and experimentation.  With the above
>>>configuration I can make 4 attempts before it disconnects the telnet
>>>session, but then I can go right back in, use the correct password and
>>>      
>>>
>get
>  
>
>>>in.
>>>
>>>passwd:
>>>
>>>auth            required      /lib/security/pam_pwdb.so shadow nullok
>>>account        required    /lib/security/pam_pwdb.so
>>>password    required    /lib/security/pam_cracklib.so minlen=6 retry=3
>>>password    required    /lib/security/pam_pwdb.so use_authtok nullok md5
>>>shadow
>>>
>>>
>>>
>>>      
>>>
>>the minlen=6 should work like you need, however you are stating that
>>after less than a minute or 3 bad attempts you may still login correct?
>>
>>    
>>
>>>This configuration does hold me to a minimum of 6 characters, but I can
>>>reuse passwords.
>>>----- Original Message -----
>>>From: "Jason Gerfen" <jason.gerfen at scl.utah.edu>
>>>To: "Terry Orgill" <terry at stribus.com>; "Pluggable Authentication
>>>      
>>>
>Modules"
>  
>
>>><pam-list at redhat.com>
>>>Sent: Thursday, September 23, 2004 10:32 AM
>>>Subject: Re: Gettring Started
>>>
>>>
>>>
>>>
>>>      
>>>
>>>>Terry Orgill wrote:
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>I am urgently trying to get PAM working for a customer (RH 7.1, PAM
>>>>>0.77) that is about to undergo a security audit.  I need password
>>>>>expiration, minimum password length, no reuse of passwords, lockout of
>>>>>users after three unsuccessful attempts to login, one session only for
>>>>>users.  I have the one session part working
>>>>>(/etc/security/limits.conf), but nothing else will.  I am using
>>>>>pam_cracklib.so, pam_pwdb.so for the password part.  I am using
>>>>>pam_tally.so for the login part.  It just ignores me.  I did manage to
>>>>>get a user locked out by substituting pam.conf for pam.d, but then I
>>>>>could not get the user unlocked.  If I run pam_tally --user<username>
>>>>>it always returns a 0 for unsuccessful attempts no matter how many
>>>>>there are.  I know this stuff must work, but I am having a hell of a
>>>>>time figuring it out.  HELP!
>>>>>
>>>>>          
>>>>>
>>>>------------------------------------------------------------------------
>>>>        
>>>>
>>>>>_______________________________________________
>>>>>Pam-list mailing list
>>>>>Pam-list at redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/pam-list
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>Could you include the list of services you are needing to setup these
>>>>specifications for (i.e. ftp, login, etc.)
>>>>
>>>>Also send the current configuration setup in your pam.d/ directory for
>>>>each of the services you need to use PAM for?
>>>>
>>>>--
>>>>Jason Gerfen
>>>>
>>>>"And remember... If the ladies
>>>>don't find you handsome, they
>>>>should at least find you handy..."
>>>>            ~The Red Green show
>>>>
>>>>
>>>>        
>>>>
>>>
>>>      
>>>
>>--
>>Jason Gerfen
>>Student Computing
>>Marriott Library
>>801.585.9810
>>jason.gerfen at scl.utah.edu
>>
>>"And remember... If the ladies
>> don't find you handsome, they
>> should at least find you handy..."
>>             ~The Red Green show
>>    
>>
>
>  
>


-- 
Jason Gerfen
Student Computing
Marriott Library
801.585.9810
jason.gerfen at scl.utah.edu

"And remember... If the ladies
 don't find you handsome, they
 should at least find you handy..."
             ~The Red Green show

More information about the Pam-list mailing list