Share this on (or read 24 comments/add one below):

24 comment

  1. lock_time & unlock_time options are not working on redhat 4 (2.6.9-55.0.2.ELsmp). I am getting error message “pam_tally: unknown option; unlock_time=100” and pam_tally: unknown option; lock_time=120. We have pam version : pam-0.77-66.21. Do this version support lock_time & unlock_time options ?

  2. Hi, i tried this to add account locked out policy in rhel 5.0 but this is not working

    i go to /etc/pam.d/system-auth file and add both lines in it

    auth required pam_tally.so no_magic_root
    account required pam_tally.so deny=3 no_magic_root lock_time=180

    after that i checked faillog -u lalit (username)
    it shows faillog but when tried to check it is lock the account or not it is not working

    if u have anyother way then please help me ..

  3. The following worked for me,

    if you’re using pam_tally use
    pam_tally –reset –user

    If you’re using pam_tally2, which is typical in rhel6 use
    pam_tally2 -r -u

  4. $ vi /etc/pam.d/system-auth
    My file doesnt contain mentined lines;

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_unix.so try_first_pass nullok
    #auth sufficient pam_plesk.so try_first_pass
    auth required pam_deny.so

    account required pam_unix.so

    password required pam_cracklib.so try_first_pass retry=3
    #password optional pam_plesk.so try_first_pass
    password sufficient pam_unix.so try_first_pass use_authtok nullok md5
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so

  5. Add below two lines to system-auth file

    auth required pam_tally.so per_user deny=5 no_magic_root unlock_time=180
    password required pam_cracklib.so try_first_pass retry=5 no_magic_root lock_time=180

    The above lines used for account lock for 180 Sec and unlock afgter 180 Sec.

    Regards,
    Hari Mani Kandan.A

  6. Maybe you like this:

    [email protected]:~$ ls -slapht /etc/cron.daily/faillog
    4,0K -rwxr-xr-x 1 root root 963 14. Nov 2010 /etc/cron.daily/faillog
    [email protected]:~$ cat /etc/cron.daily/faillog
    +++ +++ +++
    # TRON-DELTA.ORG / faillog (ANACRON) / v1.3.02
    sAccAll=$(cat /etc/passwd | cut -d”:” -f1)
    sAccRem=’root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid dhcp syslog klog hplip avahi-autoipd gdm messagebus avahi polkituser haldaemon ntp statd clamav mysql saned debian-tor privoxy festival’
    iCounter=1
    sCounter=$(wc -l “/etc/passwd” | cut -d ‘ ‘ -f1)
    while [ $iCounter -le $sCounter ]
    do
    slAccAll=$(echo $sAccAll | cut -d ‘ ‘ -f $iCounter)
    slAccRem=$(echo $sAccRem | cut -d ‘ ‘ -f $iCounter)
    if [ “$slAccAll” != “$slAccRem” ] && [ “$slAccAll” != “” ] && [ “$slAccRem” = “” ]
    then
    /usr/bin/faillog -u $slAccAll -m 10 -l 60
    fi
    iCounter=`expr $iCounter + 1`
    done
    echo “User accounts successfully setup with faillog: $(date)” >> /var/log/cron/security.log
    +++ +++ +++
    For explaination: That script will execute on a daily basis and set all self-defined accounts with -m 10 -l 60. I wrote it to make sure all accounts of “ordinary” users are configured correctly at all times in way so that no one has to worry about it anymore. There is room for optimization however. 🙂

  7. Write a shell script that checks whether the username and a password entered by a user are correct. The script should only allow a maximum of 3 attempts before locking a user out of the system

    please some one help

Leave a Comment