Re: PAM faillock and sssd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hi Tomas,

Thanks again for your help.

On Jun 06, 2013, at 01:44 PM, Tomas Mraz <tmraz@xxxxxxxxxx> wrote:

On Thu, 2013-06-06 at 18:24 +0000, Bryan Harris wrote:
> I have removed the 3rd line, and I have placed the account line at the
> beginning of the account section. For some reason now, faillock does
> not increment new failures for my users. Any ideas?
I'd have to see your current PAM config to tell. Also you need to
examine the failures before you login successfully with that user -
because the account required will reset the failures
once the user successfully authenticates.
In my file below, I changed the sssd line back to sufficient instead of the stuff I had placed in it before.  When I do a failed login for my sssd account, it does not any longer increment the counter for me (Yay!).

However, in my testing, I'm trying to login as root but the counter is not incrementing.  I've tried both using ssh as well as using the consoles.  Each time I just type a bunch of wrong letters for my root user password, but my counters don't change.  In fact I don't even see the root counter any more.  I wonder if I've broken the faillock mechanism...?

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        requisite preauth audit deny=3 even_deny_root unlock_time=900
auth        sufficient
auth        sufficient try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        [default=die] authfail audit deny=3 even_deny_root unlock_time=900 fail_interval=900
auth        required

account     required
account     required
account     sufficient
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type=  dcredit=-1      ucredit=-1      ocredit=-1      lcredit=-1      difok=4         maxrepeat=3
password    sufficient use_authtok
password    sufficient sha512 shadow try_first_pass use_authtok remember=24
password    required

session     optional revoke
session     required
session     optional
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional
Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux