Share this on (or read 8 comments/add one below):

8 comment

  1. From the top of /etc/pam.d/system-auth:

    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.

    Is there another place these options should be set so that authconfig does not clobber them? Right now, as a work around, I am going to `chattr +i /etc/pam.d/system-auth`.


  2. Aaron C, Just edit this file and do not use authconfig.

    It should be noted this will not effect for ssh remote login. You should put it in `sshd’ pam config file for this.

  3. “Append following AUTH configuration to /etc/pam.d/system-auth file”

    This does not work. I have tested it. Even if the fails are recorded, login is not denied at all. The modules are tried in the order list. You have to prepend it before any ‘auth’ to use it.

    Another note, we should be using the newer module.

  4. pam_tally tool shows number of bad attempts by a user by using /var/log/faillog database. And after lockout time expires, with a correct login attempt count gets cleared. can someone tell me is there any way I can clear tally account automatically after the lockout time expires for a user.
    I want to clear tally automatically once lockout time expires, don’t want to wait for user to login again with correct credentials.
    Any help is highly appreciated.

  5. Before doing this have a quick look in /lib64/security and check that there is a file in there as you may need to use instead.
    If in doubt add the line:
    auth sufficient onerr=fail deny=5 unlock_time=21600
    to the system-auth file instead, then su or login in and check /var/log/secure for error messages.
    You can change the sufficient to required if pam isn’t reporting errors.
    That should save you getting locked out of the root account…

  6. Hi,
    I tried the same but didn’t work for me. Can you tell me what shall i do. I am doing in centos 6.

  7. Under CentOS 6 you should use

    You will want to modify both /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac.

    In the auth section, under insert the following:

    auth        required deny=3 onerr=fail unlock_time=900

    AND, in the account section, under, insert the following:

    account     required

    Make these edits in both files to cover remote and locally authenticated services. (Gnome, SSH)

    1. Aaron C, didn’t work for me, got it working using this configurations:

      If your concern is for remote login, you can modify /etc/pam.d/password-auth for ssh auth connection.

      Insert the following under “auth required” :

      auth        required deny=3 unlock_time=900

      AND under “account required” :

      account     required reset

      Hope this can help someone struggling out there!

    Have a question? Post it on our forum!