0

I'm trying to implement an account lockout after 3 fail sign-on attempt. Root is exempted.

Here's what I have in my /etc/pam.d/system-auth file so far

auth        required      pam_tally2.so deny=3 onerr=fail magic_root
account     required      pam_tally2.so

On my /etc/pam.d/sshd file, I have added the following line

auth        required      pam_tally2.so deny=3 onerr=fail magic_root

However this does not work. I have tried logging in via SSH with a test non-root user and wrong password but it does not lock me out.

However, if I tweak the /etc/pam.d/sshd file and remove the magic_root line, like so:

auth        required      pam_tally2.so deny=3 onerr=fail

The test account will lock out.

Am I missing something out there?

Also, could someone please explain the difference between /etc/pam.d/system-auth and /etc/pam.d/password-auth? Should settings like these goes into system-auth or password-auth? Thanks

Johnson Brandt
  • 3
  • 1
  • 2

1 Answers1

0

I don't have personal experience, but I think you may be misreading the man page for pam_tally2.

Mine says

magic_root

If the module is invoked by a user with uid=0 the counter is not incremented. The sysadmin should use this for user launched services, like su, otherwise this argument should be omitted.

Note the comment about only using with su. Why? Because most other times, this module is always invoked by a user with EUID 0, as most system services that will use this module (passwd, sshd, etc.) run as root, as indeed they must.

So what flag do you need to set to avoid root being locked out by this module under eg sshd? The man page also states that:

Normally, failed attempts to access root will not cause the root account to become blocked, to prevent denial-of-service: if your users arenĀ“t given shell accounts and root may only login via su or at the machine console (not telnet/rsh, etc), this is safe.

In other words, the behaviour you want is already the default.

MadHatter
  • 79,770
  • 20
  • 184
  • 232