Re: Gettring Started

[Jason Gerfen <jason.gerfen@xxxxxxxxxxxx>]

Terry Orgill wrote:

> The requirement is that after 3 unsuccessful attempts to login, the user is
> locked out for fifteen minutes before new attempts are allowed.  I think PAM
> provides for the lockout, but not the fifteen minutes.  I was going to setup
> a crontab script to run every fifteen minutes and unlock anyone that is
> locked.  That will suffice.  What am I doing wrong that the user is not
> locked out after 3 attempts?
> ----- Original Message -----
> From: "Jason Gerfen" <jason.gerfen@xxxxxxxxxxxx>
> To: "Terry Orgill" <terry@xxxxxxxxxxx>; "Pluggable Authentication Modules"
> <pam-list@xxxxxxxxxx>
> Sent: Thursday, September 23, 2004 11:20 AM
> Subject: Re: Gettring Started
>
>
>  
>
> > Always reply to ALL...
> >
> > also is the below a typo?
> >
> > Terry Orgill wrote:
> >
> >    
> >
> > > I may not have a clue about PAM, but it would seem that for the functions
> > >      
> I
>  
>
> > > need, the files I need to modify in pam.d are login and passwd.  I have
> > >      
> no
>  
>
> > > need for the functionality in ftp, etc.  What I have currently in login:
> > >
> > > auth            required    /lib/security/pam_securetty.so
> > > auth            required    /lib/security/pam_nologin
> > > auth            required    /lib/security/pam_tally.so deny=3 reset
> > > auth            required    /lib/security/pam_stack.so
> > >      
> service=system-auth
>  
>
> > >      
> > service=system.auth? should be system-auth correct?
> >
> >    
> >
> > > account        required    /lib/security/pam_stack.so service=system.auth
> > > account        required    /lib/security/pam_tally.so deny=3 reset
> > > password    required    /lib/security/pam_stack.so service=system-auth
> > > password    required    /lib/security/pam_tally.so deny=3 reset
> > >      
try this...
other than that i have no other suggestions, any references to other 
people using it have turned up the following line

password    required    /lib/security/pam_tally.so no_magic_root deny=3 reset

> > > session        required    /lib/security/pam_stack.so service=system-auth
> > > session        required    /lib/security/pam_console.so
> > >
> > > I may be out in left field with this.  The one thing is seemed obvious I
> > > needed was pam_tally.so deny=3 reset.  Everything else was a mixture of
> > > whatever was already in there and experimentation.  With the above
> > > configuration I can make 4 attempts before it disconnects the telnet
> > > session, but then I can go right back in, use the correct password and
> > >      
> get
>  
>
> > > in.
> > >
> > > passwd:
> > >
> > > auth            required      /lib/security/pam_pwdb.so shadow nullok
> > > account        required    /lib/security/pam_pwdb.so
> > > password    required    /lib/security/pam_cracklib.so minlen=6 retry=3
> > > password    required    /lib/security/pam_pwdb.so use_authtok nullok md5
> > > shadow
> > >
> > >
> > >
> > >      
> > the minlen=6 should work like you need, however you are stating that
> > after less than a minute or 3 bad attempts you may still login correct?
> >
> >    
> >
> > > This configuration does hold me to a minimum of 6 characters, but I can
> > > reuse passwords.
> > > ----- Original Message -----
> > > From: "Jason Gerfen" <jason.gerfen@xxxxxxxxxxxx>
> > > To: "Terry Orgill" <terry@xxxxxxxxxxx>; "Pluggable Authentication
> > >      
> Modules"
>  
>
> > > <pam-list@xxxxxxxxxx>
> > > Sent: Thursday, September 23, 2004 10:32 AM
> > > Subject: Re: Gettring Started
> > >
> > >
> > >
> > >
> > >      
> > >
> > > > Terry Orgill wrote:
> > > >
> > > >
> > > >
> > > >        
> > > >
> > > > > I am urgently trying to get PAM working for a customer (RH 7.1, PAM
> > > > > 0.77) that is about to undergo a security audit.  I need password
> > > > > expiration, minimum password length, no reuse of passwords, lockout of
> > > > > users after three unsuccessful attempts to login, one session only for
> > > > > users.  I have the one session part working
> > > > > (/etc/security/limits.conf), but nothing else will.  I am using
> > > > > pam_cracklib.so, pam_pwdb.so for the password part.  I am using
> > > > > pam_tally.so for the login part.  It just ignores me.  I did manage to
> > > > > get a user locked out by substituting pam.conf for pam.d, but then I
> > > > > could not get the user unlocked.  If I run pam_tally --user<username>
> > > > > it always returns a 0 for unsuccessful attempts no matter how many
> > > > > there are.  I know this stuff must work, but I am having a hell of a
> > > > > time figuring it out.  HELP!
> > > > >
> > > > >          
> > > > ------------------------------------------------------------------------
> > > >        
> > > >
> > > > > _______________________________________________
> > > > >
> > > > > Pam-list@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/pam-list
> > > > >
> > > > >
> > > > >
> > > > >          
> > > > Could you include the list of services you are needing to setup these
> > > > specifications for (i.e. ftp, login, etc.)
> > > >
> > > > Also send the current configuration setup in your pam.d/ directory for
> > > > each of the services you need to use PAM for?
> > > >
> > > > --
> > > > Jason Gerfen
> > > >
> > > > "And remember... If the ladies
> > > > don't find you handsome, they
> > > > should at least find you handy..."
> > > >            ~The Red Green show
> > > >
> > > >
> > > >        
> > >
> > >      
> > --
> > Jason Gerfen
> > Student Computing
> > Marriott Library
> > 801.585.9810
> > jason.gerfen@xxxxxxxxxxxx
> >
> > "And remember... If the ladies
> > don't find you handsome, they
> > should at least find you handy..."
> >             ~The Red Green show
> >    
>
>  


--
Jason Gerfen
Student Computing
Marriott Library
801.585.9810
jason.gerfen@xxxxxxxxxxxx

"And remember... If the ladies
don't find you handsome, they
should at least find you handy..."
            ~The Red Green show


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list