Home / server / Questions / 594025
Accepted
Aaron Copley
Asked: 2014-05-09 13:52:46 +0800 CST

Account Lockout with pam_faillock in RHEL6

  • 772

Previously, I asked about using pam_tally2 under RHEL6. I would like to pose this question and answer to document the recommended use of pam_faillock over pam_tally2 for the same function;

What is the recommended strategy for temporary account locking in Red Hat 6?

redhat

1 Answers

  1. Best Answer

    The pam_faillock module was introduced to us in the Technical Notes for Red Hat Enterprise Linux 6.1. And somehow this flew under my radar until now.

    BZ#644971
    A new pam_faillock module was added to support temporary locking of user accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screen saver.

    The Security Guide explains to us how this module should be used in section 2.1.9.5, Account Locking.

    Follow these steps to configure account locking:

    To lock out any non-root user after three unsuccessful attempts and unlock that user after 10 minutes, add the following lines to the auth section of the /etc/pam.d/system-auth and /etc/pam.d/password-auth files:

    auth        required       pam_faillock.so preauth silent audit deny=3 unlock_time=600
auth        sufficient     pam_unix.so nullok try_first_pass
auth        [default=die]  pam_faillock.so authfail audit deny=3 unlock_time=600

    Add the following line to the account section of both files specified in the previous step:

    account     required      pam_faillock.so

    I've intentionally stopped here because this will provide the functionality that most are looking for. If you wish to include the root user, read on at the link provided.

    • 4