Re: PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.

And just add
account  required       pam_faillock.so
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.

Tomas Mraz

On Thu, 2013-06-06 at 12:14 +0000, Bryan Harris wrote: 
> Hi all,
> 
> I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want.  Our configuration is as follows.
> 
> 1. RHEL 6 with some local accounts.
> 2. We are using sssd to authenticate to Active Directory for other accounts.
> 3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
> 4. We _do_ want faillock for local users.
> 
> Our auth section of the system-auth-ac file previously looked like this,
> 
> auth        required      pam_env.so
> auth        required      pam_faillock.so preauth audit deny=3 unlock_time=900
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 fail_interval=900
> auth        sufficient    pam_faillock.so authsucc audit deny=3 unlock_time=900 fail_interval=900
> auth        required      pam_deny.so
> 
> In order to skip the faillock stuff for the AD users, I changed the sssd line to look like this,
> 
> auth        [success=done new_authtok_reqd=done default=2]    pam_sss.so use_first_pass
> 
> Can I just confirm that I'm going about this in the correct way?  My goal is: the local linux faillock table is used when a local user fails to authenticate, but local table is not used when a sssd-authenticated user fails to authenticate (I'm hoping to let AD handle that).
> Bryan
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux