Re: PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


This is not correct, the third pam_faillock line would never be called
as the second line will always fail. So you can remove it.

And just add
account  required
line to the beginning of account section. Otherwise the fail count will
never be reset on successful authentication.

Tomas Mraz

On Thu, 2013-06-06 at 12:14 +0000, Bryan Harris wrote: 
> Hi all,
> I believe I have accomplished my goal, I'm just wanting to verify with the list that this is the right way to get what I want.  Our configuration is as follows.
> 1. RHEL 6 with some local accounts.
> 2. We are using sssd to authenticate to Active Directory for other accounts.
> 3. We don't want a faillock table maintained for sssd-authenticated users because AD has its own way to do this.
> 4. We _do_ want faillock for local users.
> Our auth section of the system-auth-ac file previously looked like this,
> auth        required
> auth        required preauth audit deny=3 unlock_time=900
> auth        sufficient
> auth        sufficient try_first_pass
> auth        requisite uid >= 500 quiet
> auth        sufficient use_first_pass
> auth        [default=die] authfail audit deny=3 unlock_time=900 fail_interval=900
> auth        sufficient authsucc audit deny=3 unlock_time=900 fail_interval=900
> auth        required
> In order to skip the faillock stuff for the AD users, I changed the sssd line to look like this,
> auth        [success=done new_authtok_reqd=done default=2] use_first_pass
> Can I just confirm that I'm going about this in the correct way?  My goal is: the local linux faillock table is used when a local user fails to authenticate, but local table is not used when a sssd-authenticated user fails to authenticate (I'm hoping to let AD handle that).
> Bryan
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx

Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux