SDB:Lock user account after login fails

Şuraya atla: kullan, ara


Concern

You want to lock a user's account after he/she failed to authenticate e.g. three times.

Solution

The following desribes how you can do this, using /etc/passwd and the service SSH. In principle this is possible with each service, which uses PAM.

There is a PAM module called pam_tally.so with which this intention can be done. Include the following pam_tally.so lines to /etc/pam.d/sshd 

 #%PAM-1.0
 auth required   pam_tally.so onerr=fail no_magic_root
 auth required   pam_unix2.so # set_secrpc
 auth required   pam_nologin.so
 auth required   pam_env.so
 account required        pam_unix2.so
 account required        pam_nologin.so
 account required        pam_tally.so deny=3 reset no_magic_root
 password required       pam_pwcheck.so
 password required       pam_unix2.so    use_first_pass use_authtok
 session required        pam_unix2.so    none     # trace or debug
 session required        pam_limits.so

If a user fails the authentication procedure, the counter for failed attempts is increased by one. If this counter has reached three (see the deny=3 parameter), the account is locked.

The locked account can be unlocked by calling 

faillog -r -a <UID>

where <UID> has to be exchanged by the real login name of the user. You can find further documentation about pam_tally.so in the pam documentation.

<keyword>tally,pam,lock,account,password,failed</keyword>

"https://tr.opensuse.org/index.php?title=SDB:Lock_user_account_after_login_fails&oldid=3299" adresinden alındı.