List Members
Iam curious to know if anyone has seen this or knows of this issue, or if I just don`t have it configured properly, before I submit it as a bug. I looked in bugzilla and didn`t see anything related listed.
I have a default installation of rhel5.4, in a vmware virtual machine. (ESX 4.1 freeware), yum update to rhel5.5
vmwaretools installed.
I want to setup some of the hardening standards from the Center for Internet Security (CIS), so I tried the example they have in section of SN.8 Lock Out after 3 Failures, after adjusting it, I have the following pam system-auth working for the most part.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3 unlock_time
=1800
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3 unlock_time
=1800
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
password requisite pam_cracklib.so try_first_pass retry=3 minle
n=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=2
password sufficient pam_unix.so md5 shadow remember=10 try_first
_pass use_authtok
password required pam_deny.so
n=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=2
password sufficient pam_unix.so md5 shadow remember=10 try_first
_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in cr
ond quiet use_uid
session required pam_unix.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in cr
ond quiet use_uid
session required pam_unix.so
after testing this it works fine for any account that doesn`t have a ssh key set up, however if you have a ssh-key setup, you never get denied access due to pam_tally2 lock out.(account section of pam)
I was able to verify that sshd does use account section of system-auth by expiring an account.(at least for account pam_unix) I change the lastchg field of the shadow file and setting password inactivity to 1, as in the last passwd change is older then allowed. And even accounts that have ssh keys are denied access from the account section of system-auth due to password expired.
Thanks
John
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
