auth required pam_env.so #auth requisite pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth sufficient pam_faillock.so authsucc deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required /lib64/security/pam_tally2.so deny=6 no_magic_root reset password required pam_cracklib.so retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 difok=3 password required pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session required pam_lastlog.so showfailed session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so On Tue, Aug 12, 2014 at 11:47 AM, Kordell, Luke T <[email protected]> wrote: > Hello, > > Thanks for the info! I've been trying to make these changes to our systems > and am currently waiting for a solution on a redhat bug I submitted over a > month ago. (trying to make a lockout presist after reboot) > > I tried making these changes on a test-vm I have and it seems to have bricked > it. Can you copy and paste the entire contents of your system-auth file into > a message and send it to me? (I can't recieve attachments at this email > address) > > Luke K > ________________________________________ > From: [email protected] > [[email protected]] on behalf of Jeremiah > Jahn [[email protected]] > Sent: Friday, August 08, 2014 3:35 PM > To: SCAP Security Guide > Subject: EXTERNAL: faillock related descriptions are wrong and dangerous > > accounts_passwords_pam_fail_interval and > accounts_passwords_pam_faillock_unlock_time have bad description > > The description needs to be changed in these from currently telling > the user to put them under pam_env.so to under pam_unix.so. > > Also there are a number of things you have to do. And I'll walk though > this example so you can see. > > normal pam system-auth file, same allied for password file > auth required pam_env.so > auth [success=1 default=bad] pam_unix.so > auth [default=die] pam_faillock.so authfail deny=3 > even_deny_root unlock_time=604800 fail_interval=900 > auth sufficient pam_faillock.so authsucc deny=3 > even_deny_root unlock_time=604800 fail_interval=900 > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > fist things first. you must skip the authfail on a successful login, > and set default equal to bad. the faillock authfail will ALWAYS lock > the user out if run. Which is why if you follow the guidance, you'll > brick your machine. so pam_unix.so must be set to [success=1 > default=bad]. > > second pam_faillock.so authsucc must be set to sufficient, and always > placed before pam_deny. > > your description currently says required, but you've got to alter > unix.so to fall through on success instead of simply being sufficient, > so now pam_faillock.so authsucc has to be sufficient to pick up the > slack. The test for this is also going to have to be rewritten as > well. > > -jj- > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
