AskLinux  - A Place for Linux Enthusiasts

• Home
• Linux Sysadmin
• Linux Tips and Tricks
• Linux Server Setup
• Linux Networking Tool
• Linux BackUp
• Linux Troubleshooting
• Linux Forum
• Unix Stuffs
• Linux Commands
• Linux Installation
• PAM
• Know The Command

How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 3 and 4?

The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout.

To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:


auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset


The options used above are described below:

onerr=fail
If something strange happens, such as unable to open the file, this determines how the module should react.

no_magic_root
This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.

deny=3
The deny=3 option is used to deny access if tally for this user exceeds 4. Note:The count starts from 0.

reset
The reset option instructs the module to reset count to 0 on successful entry.


See below for a complete example of implementing this type of policy:


auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
 

For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-<version>


For information on how to unlock a user that has expired their deny tally see additional Knowledgebase articles regarding unlocking a user account and seeing failed logins with the faillog command.