What is pam_faillock and how to use it in Red Hat Enterprise Linux ?

环境

• Red Hat Enterprise Linux 6
• Red Hat Enterprise Linux 7
• PAM
• pam_faillock.so

问题

• What is pam_faillock ? How to implement account lockout policy using pam_faillock.so ?
• pam_tally is deprecated in RHEL6, what can I configure instead of pam_tally ?
• How do I reset/view failure attempts of user for pam_faillock ?
• How can I use pam_faillock to disable a particular user(s) from getting locked out after multiple unsuccessful login attempts?
• Since faillog command (pam_tally) is not available in RHEL 6.1, how do I use pam_faillock instead ?
• Steps to configure faillock in RHEL 6.1
• pam_tally counter reset does not work correctly

决议

Configure /etc/pam.d/system-auth and /etc/pam.d/password-auth as below:

Case 1:

Raw

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

..snip..

Case 2:

Raw

auth        required      pam_env.so
auth        [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600
auth        sufficient    pam_faillock.so authsucc audit deny=3 unlock_time=600
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

..snip..

The above configuration file would lock out users after 3 unsuccessful login attempts and unlock them after 10 minutes.

• To lock out root user, auth required pam_faillock.so line should be added in both /etc/pam.d/system-auth and /etc/pam.d/password-authas follows :

Raw

auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

• To disable a user from locking out even after multiple failed logins add the below line just above the pam_faillock in both /etc/pam.d/system-auth and /etc/pam.d/password-auth and replace user1, user2 with the actual usernames.

Raw

auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

For more information of parameters in pam_faillock.so refer man page of pam_faillock.

• To reset/view authentication failure records use commands given below:
  For displaying authentication failure records:

Raw

# faillock --user <username>

And for resetting authentication failure records:

Raw

# faillock --user <username> --reset

SSHD configuration adjustment

• If pam_faillock.so is not working as expected, the following changes may have to be made to SSHD's configuration:

Raw

# vi /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
PasswordAuthentication no

Then restart the sshd service in order for these configuration changes to take effect:

Raw

# systemctl restart sshd

• Note: Sequence of the lines in the files are important and any change in sequence would end up locking all users including root user when you are using even_deny_root option.

• References:
  Where is faillog command for Red Hat Enterprise Linux 6 ?

• Note: pam_faillock module support temporary locking of user accounts in the event of multiple failed
  authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also
  allows temporary locking when the authentication attempts are done over a screensaver.

• Note: pam_faillock now also support persistent locking via errata release RHBA-2016-2314.

 

转载至https://access.redhat.com/solutions/62949