On ti, 25 loka 2016, Matthew Carter wrote:
So a Gov't STIG has had me add to /etc/pam.d/password-auth:
auth required pam_faillock.so preauth silent deny=3 unlock_time=604800
fail_interval=900
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900
account required pam_faillock.so
So that it looks like this:
auth required pam_env.so
auth required pam_faillock.so preauth silent deny=3 unlock_time=604800
fail_interval=900
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
and now IPA users get a permission denied. Local users can still log in.
I'm not even sure where to start . . .
You don't have pam_sss.so anywhere so any IPA password check could not
be done, only pam_unix.so which checks /etc/passwd or /etc/shadow.
Then you'd need to wrap pam_sss use in 'auth' with pam_faillock.so too:
pam_faillock.so preauth
pam_sss.so ....
pam_faillock.so authfail
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project