Re: pam tally and faillog questions

• Previous message: Dhananjay D. Makwana: "X Error: Blank screen"
• In reply to: Chris Stankaitis: "pam tally and faillog questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 16 Apr 2004 15:49:11 -0400
To: fedora-list@redhat.com

On Fri, Apr 16, 2004 at 03:01:23PM -0400, Chris Stankaitis wrote:
> I posted this to the RH PAM list in January, since then I have not seen
> a SINGLE message to that list so I must assume it's dead. I am going to
> re-ask here in the hopes that we have some pam guru's around.

You should verify that you're actually subscribed, then. While it's not
nearly as high-traffic as fedora-list, it is active. The archives show
12 messages this month, the most recent about an hour ago.

> Is there a better work around then what I have done? is there a proper
> way to get these two to play well together

The screen saver should probably be calling pam_acct_mgmt(), even if it
"knows" that the user should always be allowed access.

> 2) is there a way to get pam_tally/faillog to unlock an account after XX
> mins... I have hacked together a bash script to do this but I would
> prefer to use native capabilities if they exist

The faillog file format supports it, and pam_tally obeys it, but the
tools don't provide a way to set that timeout. That would make a good
enhancement request.

> 3) This is my big problem... I have set tally to deny after X attempts..
> and it works... kinda... it seems like faillog or something is ignoring
> the deny= line in my pam account section.. when I first do a faillog
> after turning on the tally I get the normal output however it doesn't
> seem to catch the deny and populate that to the Maximum... so if my deny
> is set to 4 when I first do a faillog the Maximum is set to 0, I
> manually do a faillog -m 4 and that fixes the problem for all the
> current users on the box however when users are added to the box their
> maximum is zero.
>
> Why isn't faillog reading the deny=X from my account requires line and
> setting the maximum based on that?

Having a configuration for account management unfortunately doesn't
ensure that an application will make use of it.

> for new users is there a login.defs value required to set the maximum on
> account creation??

There is not, at least not currently.

Cheers,

Nalin

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Dhananjay D. Makwana: "X Error: Blank screen"
• In reply to: Chris Stankaitis: "pam tally and faillog questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages pam tally and faillog questions ... I posted this to the RH PAM list in January, since then I have not seen ... not the account section so my pam_tally counts, ... I have set tally to deny after X attempts.. ... it seems like faillog or something is ignoring ... (Fedora) [UNIX] QPopper in Conjunction with PAM Allows Account Verification ... QPopper in Conjunction with PAM Allows Account Verification ... (Securiteam) Re: Tacacs and OpenSSH ... "Also make sure you do have a local user account and it is not locked. ... You must need a local account even though the authentication is done ... I am trying to have sshd use the local account as defined on the TACACS server. ... So my TACACS pam is getting called with the incoming user. ... (SSH) Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions ... Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, ... BUT keep SSH enabled. ... However in Aix v5.3 full ... pam support was added, and our LAM module broke and we have been unable ... (comp.security.ssh) Re: Tacacs and OpenSSH ... So my TACACS pam is getting called with the incoming user. ... Then restart sshd. ... Also make sure you do have a local user account and it is not locked. ... >> contacts the TACACS server. ... (SSH)