Would anyone, please, be willing to answer the below query? Thanks, Lesley Kimmel, RHCE Unix/Linux Systems Engineer
From: [email protected] To: [email protected] Subject: pam_faillock.so Approach Date: Fri, 12 Jun 2015 09:00:05 -0500 All; I've been working with the RHEL6 SSG (0.1.18-3) and found that the direction for using pam_faillock.so does not work. I know what is wrong with it but I see that the latest RHEL Beta package (0.1.21-2) decided to go a different way with the configuration. There are two possible faillock configurations shown in the pam_faillock man page. I was just curious about the relative merits of each and why the decision was made to use the "2nd" form rather than just fix the "1st". Stack described in current RHEL6 SSG: auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 Per the man page the following modifications would need to be made: auth [success=1 default=bad] pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900 auth sufficient pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900 -Lesley Kimmel
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
