Hi, On Sat, Jun 21, 2008 at 09:14:27AM +0200, kukuk@xxxxxxx wrote: > > On Sat, Jun 21, Nicolas François wrote: > > > If the failure were limited to non-secure TTYs, this would limit the > > probability of such brute force. > > But wouldn't a hacker come from a non-secure TTY most of the time? > And there you would still have the same problem with your suggestion. > It only helps for the local console, not for network attacks. Yes. It's far from perfect. Enforcing a delay in login might be better to protect against brute force attacks. > Between, what I use to avoid your problem in /etc/pam.d/login: > > auth requisite pam_nologin.so > auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so > auth include common-auth Thanks, that's what I will consider. Best Regards, -- Nekral _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
