Home / server / Questions / 447230
Accepted
Aaron Copley
Asked: 2012-11-10 12:15:54 +0800 CST

Account Lockout with pam_tally2 in RHEL6

  • 772

I am using pam_tally2 to lockout accounts after 3 failed logins per policy, however, the connecting user does not receive the error indicating pam_tally2's action. (Via SSH.)

I expect to see on the 4th attempt:

Account locked due to 3 failed logins

No combination of required or requisite or the order in the file seems to help. This is under Red Hat 6, and I am using /etc/pam.d/password-auth. The lockout does work as expected but the user does not receive the error described above. This causes a lot of confusion and frustration as they have no way of knowing why authentication fails when they are sure they are using the correct password.

Implementation follows NSA's Guide to the Secure Conguration of Red Hat Enterprise Linux 5. (pg.45) It's my understanding that that only thing changed in PAM is that /etc/pam.d/sshd now includes /etc/pam.d/password-auth instead of system-auth.

If locking out accounts after a number of incorrect login attempts is required by your security policy, implement use of pam_tally2.so.

To enforce password lockout, add the following to /etc/pam.d/system-auth. First, add to the top of the auth lines:

auth required pam_tally2.so deny=5 onerr=fail unlock_time=900

Second, add to the top of the account lines:

account required pam_tally2.so

EDIT:

I get the error message by resetting pam_tally2 during one of the login attempts.

user@localhost's password: (bad password)
Permission denied, please try again.
user@localhost's password: (bad password)
Permission denied, please try again.

(reset pam_tally2 from another shell)

user@localhost's password: (good password)
Account locked due to ...
Account locked due to ...
Last login: ...
[user@localhost ~]$
redhat

2 Answers

  1. Best Answer

    You also need ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.

    To display the error, pam needs a conversation function.

    This option tells ssh to provide a more complete PAM conversation function, which covers amongst other things providing output and asking for arbitrary input (instead of just being handed over a password by sshd).

    Edit: You'll want PasswordAuthentication no to make sure the password input always goes through this PAM conversation.

    • 6

  2. Unfortunately what you're after is not available. OpenSSH will only allow or deny authentication. It's not going to give an attacker or a clumsy user know any further information and this is standard behaviour. PAM has no knowledge of the network communication that OpenSSH or any other application-specific behaviour it's using. It's just a bunch of modules for authenticating with.

    Further to this, pam_tally2 doesn't provide any kind of user-defined error message directive, so you can only rely on what's in your system log anyway.

    One method you can look into is modifying the OpenSSH codebase (not too difficult), but this is out of the scope of this question.

    • 0