Pam Tally Linux to ban users from wrong passwords

I have a major problem with a fedora distribution (17). I don't know how to set up /etc/pam.d/system-auth in order to ban a user after he/she writes the password wrong (3 times)

I have read numerous different additions to this file that achieves this (all are about the same) but they dont work.

For example, I added these lines:

auth required pam_tally.so onerr=fail deny=3 unlock_time=40

But the random user that I created can try his password numerous times without a warning , nothing.

How am I supposed to fix this? Does anyone have a suggestion?

Marcus Roerig

Posted 2013-03-31T00:44:21.353

Reputation: 1

does it affect root/wheel users? – Lorenzo Von Matterhorn – 2013-03-31T00:46:50.033

nope, no one :S – Marcus Roerig – 2013-03-31T01:26:34.650

Answers

When PAM locks out a user account, it does not provide any message that the account is locked, so as to provide no additional information to attackers. as such, you will never get a warning that your account is locked out.

to test your settings, enter a good username and bad password 3 times. then enter the correct username and password within the 40 seconds you have the lock established for. if you are logged in, the settings failed, but if you get "Incorrect username or password" with the correct credentials, then everything is working correctly.

also, make sure your 'auth required pam_tally.so ...' line precedes your 'auth sufficient pam_unix.so ...' line.

for more hints, check here: http://www.linuxquestions.org/questions/linux-security-4/pam-pam_tally-and-locking-out-users-after-3-failed-login-attempts-in-rhel5-624257/

Frank Thomas

Posted 2013-03-31T00:44:21.353

Reputation: 29 039

i am just switching users from GUI , but still same behavior.... stupid fedora . – Marcus Roerig – 2013-03-31T02:23:56.793