Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:
Hi,

Thanks for your reply.

I find using pam modules a bit confusing at the moment. Does anyone
know of a good example on how to use pam_tally in this way?

Thanks.

Johan


Add these lines to /etc/pam.d/system-auth

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset

Next, make a faillog:

# touch /var/log/faillog

Also, make sure /etc/pam.d/xscreensaver does not call system-auth, or you will not be able to unlock your screensaver. This is because xscreensaver doesn't have the rights to write to the faillog. I copied the contents of system-auth and put it in xscreensaver, and then I removed the pam_tally lines. Overkill probably, but it works for me.


-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Bill Tangren
Sent: 23 July 2007 16:09
To: General Red Hat Linux discussion list
Subject: Re: ftp/sftp user account lockout threshold

Johan Booysen wrote:
Dear all,

Does anyone know if it's possible to set up a vsftpd and/or sftp server so that (for example) after 3 unsuccessful logon attempts, a user's account is locked out or disabled?

I've done a bit of quick googling on this issue, but have come up empty so far.

Thanks very much.

Johan


pam can use pam_tally to do this.


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list