How do I lock out a user after a set number of login attempts?

By omp on Friday, February 16, 2007

The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout.

To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:

auth        required        /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account     required        /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset

The options used above are described below:

  • onerr=fail
    If something strange happens, such as unable to open the file, this determines how the module should react.
  • no_magic_root
    This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login.
  • deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.
  • reset
    The reset option instructs the module to reset count to 0 on successful entry.

See below for a complete example of implementing this type of policy:

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so 
account     required      /lib/security/$ISA/pam_tally.so deny=5
no_magic_root reset  password    requisite     /lib/security/$ISA/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/$ISA/pam_unix.so nullok use_authtok md5 shadow password
required      /lib/security/$ISA/$ISA/pam_deny.so  session
required      /lib/security/$ISA/$ISA/pam_limits.so session
required      /lib/security/$ISA/$ISA/pam_unix.so

For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-

For information on how to unlock a user that has expired their deny tally see additional Knowledgebase articles regarding unlocking a user account and seeing failed logins with the faillog command.

contributed by David Robinson

comment 0 comments:

Post a Comment

Popular Posts

  • Unix Interview Questions???
    Linux admin interview questions How do you take a single line of input from the user in a shell script? Write a script to convert all DO...
  • Network Storage - II
    Network-Attached Storage 1. Introduction 2. What is a NAS Device? 3. What is a Filer? 4. Network-Attached Storage Versus Sto...
  • Converting delimited text to Excel
    Description Google Results Non-technical people need t...
  • Managing Disk Spaces with LVM in Linux.
    Bryce Harrington and Kees Cook have come together to write this informative article titled ' Managing Disk Space with LVM ' which ...
  • Lo
    for Expand words, and execute commands once for each member in the resultant list, with name bound to the current member. SYNTAX for...
  • Configure a Physical Interface After System Installation
    * Determine the IPv4 addresses that you want to use for the additional interfaces. * Ensure that the physical interface to be configured has...
  • (no title)
    Global Menu - Ubuntu Lucid Setting up global menu in lucid install the global menu package.
  • UNIX Questions and Answers
    UNIX Questions and Answers Most answers refer to Solaris 2.x systems Hardware Issues How can I configure new devices without rebooting? What...
  • Generate passwords with openssl
    write 6 random bits of base64-encoded data. This will produce an eight character string making a good unix (crypt based) password: $ openssl...
  • Blade server
    IBM HS20 blade server. Two bays for SCSI hard drives can be noticed in the upper left area of the image. Blade servers are self-contained co...

Linux Gazette