The wikis are now using the new authentication system.
If you did not migrate your account yet, visit https://idp-portal-info.suse.com/

SDB:Lock user account after login fails

Şuraya atla: kullan, ara


Concern

You want to lock a user's account after he/she failed to authenticate e.g. three times.

Solution

The following desribes how you can do this, using /etc/passwd and the service SSH. In principle this is possible with each service, which uses PAM.

There is a PAM module called pam_tally.so with which this intention can be done. Include the following pam_tally.so lines to /etc/pam.d/sshd

 #%PAM-1.0
 auth required   pam_tally.so onerr=fail no_magic_root
 auth required   pam_unix2.so # set_secrpc
 auth required   pam_nologin.so
 auth required   pam_env.so
 account required        pam_unix2.so
 account required        pam_nologin.so
 account required        pam_tally.so deny=3 reset no_magic_root
 password required       pam_pwcheck.so
 password required       pam_unix2.so    use_first_pass use_authtok
 session required        pam_unix2.so    none     # trace or debug
 session required        pam_limits.so
 

If a user fails the authentication procedure, the counter for failed attempts is increased by one. If this counter has reached three (see the deny=3 parameter), the account is locked.

The locked account can be unlocked by calling

faillog -r -a <UID>

where <UID> has to be exchanged by the real login name of the user. You can find further documentation about pam_tally.so in the pam documentation.

<keyword>tally,pam,lock,account,password,failed</keyword>