2

Based on the suggestion given in:

Account Lockout with pam_tally2 in RHEL6

I have come to a working configuration, wherein account is getting locked out after 3 failed logins.

Catch is that pam_tally counter is getting incremented one even before I enter the password i.e.just when I enter the username. The behaviour is like:

Open SSH client, enter username , tally counter increments by one, enter password, tally counter increment again with one in case of wrong password or resets back to zero incase of right one.

This is leading to behavior as posted by OP in the original thread, but difference is that the same changes suggested aren't working in my RHEL6 anymore.

Some snippets from password-auth:

auth        required      pam_env.so
auth        required      pam_tally2.so deny=3 unlock_time=3600 audit
auth        sufficient    pam_unix.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     required      pam_tally2.so

/pam.d/sshd

auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    required     pam_tally2.so
account    include      password-auth
password   include      password-auth
Community
  • 1
Vineeth
  • 21
  • 1
  • 3
  • 1
    are you using redhat? in redhat every pam service under /etc/pam.d include system-auth file /etc/pam.d/system-auth – c4f4t0r Mar 07 '14 at 14:46
  • Yes, I am using redhat. I saw that starting from RHEL6, services have started to use their individual files like sshd,lapd instead of system-auth. What are you suggesting? – Vineeth Mar 08 '14 at 05:34
  • remove pam_tally2 from password-auth and just use it in sshd, but use the pam_tally2 in auth session not in account, for more info man pam_tally2 – c4f4t0r Mar 09 '14 at 07:11
  • I checked the configuration you suggested. Counter is behaving properly now, but the account is not getting locked after 3 failed attempts. I am getting a message "Account locked due to 4 failed logins", but still able to login after entering correct pass. – Vineeth Mar 11 '14 at 06:11
  • http://serverfault.com/questions/459803/pam-tally2-or-pam-faillock-account-lockout-with-ssh – c4f4t0r Mar 11 '14 at 13:55

1 Answers1

1

I just had a similar problem, and the problem was with my putty settings.

Every time I logged into the server, the pam_tally2 would get incremented, even when logging in "normally" (that is, by entering my password). My Putty settings were set to attempt the connection by using a private/public key, that failing (because the destination server did not have the correct settings, ~/.ssh/authorized_keys). The session would then ask for the user's password and log me in. However, the attempt to log in using the pivate/public keys would count as a login failure.

In the Putty session definition, I had:

Putty configuration / Connection / SSH / Auth : Authentication methods :

  • Checked - Attempt Authentication Pageant
  • Checked - Attempt "Keyboard interactive"

So when unchecking the 2 options above and removing the private key file for authentication definition, Putty stops trying to log into the server using the keys and the failure goes away.

Sorry if this does not apply to your problem

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Blaise
  • 11
  • 1