Solved

setting up pam tally on linux server

Posted on 2014-04-29
6
814 Views
Last Modified: 2014-05-08
I'm having trouble setting up my Linux server which I recently inherited.  This is for scientific calculations, and I am a professor here at the University.  I am fairly new to this.

My server keeps a tally of failed login attempts.  Everytime a user fails a login, it adds to the tally which is set at 10.  When the tally reaches 10, the user cannot logon.

The problem is that even on a successful login, two failed tallies are added to the user.  This means that the user will be locked out even if they successfully logged in 3 times.

I am playing around with the following files, but it is not successful.

/etc/pam.d/login
/etc/pam.d/system-auth-ac

I would like to do the following:
1)  Change the failed tally to a higher number...like 100
2)  Have the server reset the tally to zero every 24 hours
3)  Make it so that a failed tally is not registered if the user successfully logs in.

Any of these three will make this server usable.  Currently, it is not usable due to the problem mentioned above.  Thanks for your help.
0
Comment
Question by:ted_yu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 19

Expert Comment

by:simon3270
ID: 40031976
Is it pam_tally.so or pam_tally.so in /etc/pam.d/login?

The rise on successful login might be a permissions problem on on of the login files - try adding
    onerr=succeed
to the pam_tally line in /etc/pam.d/login.

The count should also be there - if not, add it with
    deny=n
where n is the number of failed attempts.

Do any other pam.d files have pam_tally.so or pam_tally2.so in them?  You may be hitting the checks in the wrong place (though they may well be valid in the ssh or su files too).
0
 
LVL 19

Accepted Solution

by:
simon3270 earned 300 total points
ID: 40031988
You can reset the count with

    pam_tally --user fred --reset

(or pam_tally2, if that is what you are using).  I don't think there's a global reset, so you'd have to have separate calls of each user on the system, or you might be able to delete the faillog file though I haven't tried that.

BTW, best not have pam_tally AND pam_tally2 settings - they don't mix well!

(anywhere I say "pam_tally or pam_tally", I mean one of them to be pam_tally2!!!)
0
 

Author Comment

by:ted_yu
ID: 40036104
Thanks, this helped.  My system now denies at 40 fails and instead of tallying twice every successful login, it only tallys once.  What really helped was that I didn't realize I had to type "/etc/init.d/sshd restart" to execute the changes I made to system-auth file.

Unfortunately, it is still tallying once on a successful login, and I wonder if you know what is causing it.  Here is my new system-auth file.

Here is my system-auth file:
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        required      pam_tally2.so deny=40 onerr=succeed unlock_time=900
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally2.so

password    requisite     pam_cracklib.so try_first_pass retry=6 minlen=8 ucredit=-1 lcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok remember=2
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Closing Comment

by:ted_yu
ID: 40051400
Thanks for your help.  Would've like to get the tally to not count, but I have made it usable.
0
 
LVL 19

Expert Comment

by:simon3270
ID: 40051550
Thanks for the points.

I'll try to find out what would cause it to count successes in the tally.  Are there any other references to pam_tally2 in the files in /etc/pam.d?
0
 

Author Comment

by:ted_yu
ID: 40051890
Actually, there is a file called:  /etc/pam.d/system-auth-ac-backup

Where it is still showing onerr=fail.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hyper-convergence systems have taken the IT world by storm and have quickly started to change our point of view of how the data center should and could be architected. In this article, I’ll explain the benefits of employing a hyper-converged system …
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question