Alright... I think we've made progress but still nothing.
-- start /etc/pam.d/sshd --
#%PAM-1.0
auth include system-auth
auth required pam_tally.so onerr=fail deny=3
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
account required pam_nologin.so
account include system-auth
account required pam_tally.so
password include system-auth
session include system-auth
session required pam_loginuid.so
-- end sshd --
-- start /etc/pam.d/system-auth --
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 nullok try_first_pass use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
-- end system-auth --
-- start /etc/pam.d/system-auth.rpmnew --
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5
shadow
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
-- end system-auth.rpmnew --
This is now my current (revised) setup. SSH will still let me login after
many, many fails.
I noticed the .rpmnew file, should I be using that one?
Thanks!
Firewing1
From: Darren Tucker <dtucker@xxxxxxxxxx>
Reply-To: dtucker@xxxxxxxxxx,Pluggable Authentication Modules
<pam-list@xxxxxxxxxx>
To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Subject: Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam
0.99
Date: Mon, 6 Mar 2006 15:07:00 +1100
On Sun, Mar 05, 2006 at 11:30:57AM -0500, Stewart Adam wrote:
> /etc/pam.d/systam-auth file:
> -- start --
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
[...]
> Do I have to change them to "Required"?
Just blindly changing "sufficient" to "required" won't do what you
want since the "required pam_deny.so" will mean that you will end up
disallowing all authentications.
> Or would I be able to make it so that I tell my system to use pam_tally
> for everything, but it will only block SSH?
The safest thing to do is probably constructing a sshd PAM config
file that does what you want starting with a copy of system-auth.
Something like this for the auth section ought to work (untested):
auth required pam_env.so
auth required pam_unix.so nullok try_first_pass
auth required pam_tally.so
auth requisite pam_succeed_if.so uid >= 500 quiet
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
