3

Previously, I asked about using pam_tally2 under RHEL6. I would like to pose this question and answer to document the recommended use of pam_faillock over pam_tally2 for the same function;

What is the recommended strategy for temporary account locking in Red Hat 6?

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67

1 Answers1

4

The pam_faillock module was introduced to us in the Technical Notes for Red Hat Enterprise Linux 6.1. And somehow this flew under my radar until now.

BZ#644971
A new pam_faillock module was added to support temporary locking of user accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screen saver.

The Security Guide explains to us how this module should be used in section 2.1.9.5, Account Locking.

Follow these steps to configure account locking:

To lock out any non-root user after three unsuccessful attempts and unlock that user after 10 minutes, add the following lines to the auth section of the /etc/pam.d/system-auth and /etc/pam.d/password-auth files:

auth        required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient     pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600

Add the following line to the account section of both files specified in the previous step:

account     required      pam_faillock.so

I've intentionally stopped here because this will provide the functionality that most are looking for. If you wish to include the root user, read on at the link provided.

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67