Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



/etc/pam.d/system-auth:
#%PAM-1.0
...
auth        sufficient    pam_unix.so nullok try_first_pass
...
account     sufficient    pam_succeed_if.so uid < 500 quiet
...
password    sufficient    pam_unix.so md5 nullok try_first_pass use_authtok
...
These lines are really annoyimg me know. How can I change them so that they're no longer "sufficient" but just part of the process? (As in so that the auth doesn't stop there and so that pam_tally has an effect)
Firewing1
-----------------------------------------------------------------------------------------
My web site:
http://www.nongnu.org/script-wing




From: Darren Tucker <dtucker@xxxxxxxxxx>
Reply-To: dtucker@xxxxxxxxxx,Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
Subject: Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99
Date: Mon, 6 Mar 2006 15:07:00 +1100

On Sun, Mar 05, 2006 at 11:30:57AM -0500, Stewart Adam wrote:
> /etc/pam.d/systam-auth file:
> -- start --
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so

[...]
> Do I have to change them to "Required"?

Just blindly changing "sufficient" to "required" won't do what you
want since the "required pam_deny.so" will mean that you will end up
disallowing all authentications.

> Or would I be able to make it so that I tell my system to use pam_tally
> for everything, but it will only block SSH?

The safest thing to do is probably constructing a sshd PAM config
file that does what you want starting with a copy of system-auth.
Something like this for the auth section ought to work (untested):

auth        required      pam_env.so
auth        required      pam_unix.so nullok try_first_pass
auth        required      pam_tally.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list


_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux