On Aug 8, 2014, at 3:35 PM, Jeremiah Jahn <[email protected]> wrote:
> accounts_passwords_pam_fail_interval and > accounts_passwords_pam_faillock_unlock_time have bad description > > The description needs to be changed in these from currently telling > the user to put them under pam_env.so to under pam_unix.so. > > Also there are a number of things you have to do. And I'll walk though > this example so you can see. > > normal pam system-auth file, same allied for password file > auth required pam_env.so > auth [success=1 default=bad] pam_unix.so > auth [default=die] pam_faillock.so authfail deny=3 > even_deny_root unlock_time=604800 fail_interval=900 > auth sufficient pam_faillock.so authsucc deny=3 > even_deny_root unlock_time=604800 fail_interval=900 > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > fist things first. you must skip the authfail on a successful login, > and set default equal to bad. the faillock authfail will ALWAYS lock > the user out if run. Which is why if you follow the guidance, you'll > brick your machine. so pam_unix.so must be set to [success=1 > default=bad]. > > second pam_faillock.so authsucc must be set to sufficient, and always > placed before pam_deny. > > your description currently says required, but you've got to alter > unix.so to fall through on success instead of simply being sufficient, > so now pam_faillock.so authsucc has to be sufficient to pick up the > slack. The test for this is also going to have to be rewritten as > well. > > -jj- Thanks for this information. An alternative to this dire situation is to include: account required pam_faillock.so -josh -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
