Search the Community
Showing results for tags 'pam'.
Found 1 result
pam-1.3.0-r3 ebuild introducing the faillock capability from Red Hat. This will allow locking of user account after a consequent login failure attempts. After a number of attempts (can be configured) the account will be locked for a certain time (can be configured). Testing can be performed by following. Set the keywords for sys-libs/pam ebuild and install new version. echo "=sys-libs/pam-1.3.0-r3 **" >> /etc/portage/package.accept_keywords emerge -1u pam After installation, edit /etc/pam.d/system-auth with editor and put the lines pointed auth required pam_env.so auth required pam_faillock.so preauth audit deny=3 unlock_time=60 auth required pam_unix.so try_first_pass likeauth nullok auth required pam_faillock.so authfail audit deny=3 fail_interval=60 unlock_time=60 auth optional pam_permit.so account required pam_faillock.so account required pam_unix.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_permit.so Notice the lines in bold red. This is very important that first line in auth part is before pam_unix module. The second line must be after pam_unix module. In account part, pam_faillock module needed before pam_unix module. In example, 3 attempts are set for the locking. After that, account will be locked and in console you will see a message that account is locked for 60 seconds, in example. After that period of time, the account will be released. To review the state , you can use faillock utility installed by pam. For more advanced options, follow faillock and pam_faillock manual pages. If some mistakes possibly made with configuration, please, have a live cd to boot from to alter the changes in /etc/pam.d/system-auth. It is wise decision to have a copy of it somewhere before the tests.