PAM system-auth config 2

[vodkadrinker]

I am looking to lock the user for 180 seconds if they get 3 failed logins.

My system-auth-config is as follows:-

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so no_magic_root
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_plesk.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_tally.so deny=3 magic_root lock_time=180
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password optional pam_plesk.so try_first_pass
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so


Please can someone point me in the right direction, I thought adding this line would do what I required:-

account required pam_tally.so deny=3 magic_root lock_time=180

 

[vodkadrinker]

Answered my own question, changes need to be made to the pam_tally lines.

auth required pam_tally.so onerr=fail deny=3 unlock_time=180
account required pam_tally.so reset

 

[vodkadrinker]

If you are on Centos the pam_tally2 seems to work better so change the lines to the following:-

# vi /etc/pam.d/system-auth
auth required pam_tally2.so onerr=fail deny=3 unlock_time=180
account required pam_tally2.so reset

 

[vodkadrinker]

After checking my logs I realised the reset option is not a valid option, so I removed reset from the following line.

account required pam_tally2.so

So my final pam file looks like:-

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so onerr=fail deny=3 unlock_time=180
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_plesk.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password optional pam_plesk.so try_first_pass
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so


It seems that notes vary across the internet and you need to make sure the notes you are reading fit your versions.

# cat /etc/*release*
CentOS release 5.3 (Final)

# rpm -qa|grep -i pam
pam-0.99.6.2-4.el5