修改配置:
/etc/pam.d/system-auth //配置被/etc/pam.d/login引用,限制telnet以及终端登录
/etc/pam.d/password-auth //配置被/etc/pam.d/sshd引用,限制ssh登录
增加如下两行配置到配置文件,注意配置信息的位置,影响生效:
auth required pam_tally2.so deny=3 onerr=fail
account required pam_tally2.so
配置示例:
auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
参考链接:
https://www.golinuxhub.com/2018/08/how-to-lock-or-unlock-root-normal-user-pamtally2-pamfaillock-linux/