1

How do I configure maximum number of login attempts before the session is dropped for SSH/telnet in PAM?

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
Revathy
  • 11
  • 2
  • Just an aside, one sentence *"how do I [x]"* questions aren't very popular on ServerFault. That's what Google is for. – Andrew B Oct 07 '13 at 21:03

1 Answers1

0

Have a look at faillog:

-m, --maximum MAX
           Set the maximum number of login failures after the account is disabled to MAX

So faillog -m 5 -u user should allow the user user 5 tries to enter his password correctly.

The following will lock the user account after X tries. Add this to your PAM config and change according to your wishes:

auth required pam_tally.so onerr=fail deny=3
account required pam_tally.so reset

BTW, I googled it.

edit: got it wrong the first time.

fuero
  • 9,591
  • 1
  • 35
  • 40
  • pam_cracklib.so doesnt serve the purpose. My requirement is to configure maximum login attempts when the password prompts while login, not while changing the password. Please note – Revathy Oct 07 '13 at 16:19
  • I've updated my answer. Check if that works for you now. – fuero Oct 07 '13 at 16:49