PAM faillock and sssd

Bryan Harris bryanlharris at me.com
Fri Jun 7 17:12:54 UTC 2013 

Hi Tomas,

Thanks again for your help.

On Jun 06, 2013, at 01:44 PM, Tomas Mraz <tmraz at redhat.com> wrote:

On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote: 
> 
> I have removed the 3rd line, and I have placed the account line at the
> beginning of the account section. For some reason now, faillock does
> not increment new failures for my users. Any ideas?
I'd have to see your current PAM config to tell. Also you need to
examine the failures before you login successfully with that user -
because the account required pam_faillock.so will reset the failures
once the user successfully authenticates.
 
In my file below, I changed the sssd line back to sufficient instead of the stuff I had placed in it before.  When I do a failed login for my sssd account, it does not any longer increment the counter for me (Yay!).

However, in my testing, I'm trying to login as root but the counter is not incrementing.  I've tried both using ssh as well as using the consoles.  Each time I just type a bunch of wrong letters for my root user password, but my counters don't change.  In fact I don't even see the root counter any more.  I wonder if I've broken the faillock mechanism...?

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        requisite     pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=900
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=900 fail_interval=900
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=  dcredit=-1      ucredit=-1      ocredit=-1      lcredit=-1      difok=4         maxrepeat=3
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20130607/da0cea86/attachment.htm>

More information about the Pam-list mailing list