I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:
To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth required pam_lastlog.so inactive=10
So, this is my /etc/pam.d/login :
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_lastlog.so inactive=10
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
I log in through ssh as a user, and log out.
After that I set up the time 1 year in the future, as root logged in on TTY1:
# date --set "...."
# hwclock --systohc
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Any ideas what am I doing wrong here?
Apples and oranges. You're editing the
login
file, but you're performing tests againstsshd
. The sshd daemon calls the PAM library directly with a service name ofsshd
, thus the identically named file is used.In the event that you were not aware that the
login
file maps to authentication attempts by an actual command named login (which is invoked by your getty),man login
is recommended reading material.