Welcome to the Linux Foundation Forum!

Lab 9.2 Locking Accounts after Excessive Login Attempts

m.taniguchi Posts: 20
edited June 2021 in LFS216 Class Forum

I think current contents of Lab 9.2 seems not to work in CentOS8 environment, and I think the contents should be updated.
At least,

  1. pam_tally2 is absolete, instead **pam_faillock **is recommended
  2. You shouldn't modify manually password-auth/system-auth files ( it's prohibited to do so in the files)
  3. You should use **authselect **command instead ( **authconfig **is an older command)

in short, It's better to excercise this Lab

  • Use pam_faillock **, not **pam_tally2
  • Use authselect and modify configuration _indirectly _

[What I did ]

  1. create authselect user profile from current sssd profile
[root@main ~]# authselect create-profile test-lab -b sssd (profile name is test-lab) 
  1. change the profile to above with faillock feature
[root@main ~]# authselect select custom/test-lab with-faillock without-nullok
[root@main ~]# authselect current 
Profile ID: custom/test-lab
Enabled features:
- with-faillock
- without-nullok
  1. change password-auth/system-auth indirectly
[root@main ~]#vim /etc/authselect/custom/test-lab/password-auth
[root@main ~]#vim /etc/authselect/custom/test-lab/system-auth 

i set deny counts to twice (deny=2), unlock_time to 0 (infinite) (see [Reference sites][1])

  1. apply above chaanges
[root@main ~]#authselect apply-changes 
  1. Try
    ( I already set password to failuser previously.)
[root@main ~]# ssh failuser@localhost
failuser@localhost's password: 
Permission denied, please try again.
failuser@localhost's password: 
Permission denied, please try again.
failuser@localhost's password: 
failuser@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

**Note : password prompt appears 3 times. this is sshd behavior not faillock's. if you change prompt number, you add option like;

ssh failuser@localhost -o 'NumberOfPasswordPrompts 5'

  1. Check by faillock
[root@main ~]# faillock 
When                Type  Source                                           Valid
2021-06-27 17:43:12 RHOST ::1                                                  V
2021-06-27 17:43:15 RHOST ::1                                                  V
When                Type  Source                                           Valid
When                Type  Source                                           Valid
When                Type  Source                                           Valid

the user "failuser" failes twice. this means the user locked. (BTW I don't know how to see the user is locked or not)

  1. Unlock the user
    [root@main ~]# faillock --user failuser --reset

[Reference sites]

[1] https://i66lab.com/User:xltran/App/CentOS/8/Administration/Authselect
[2] https://michaelpesa.com/posts/creating-custom-authselect-profiles/
[3] https://www.golinuxcloud.com/pam-faillock-lock-user-account-linux/



Upcoming Training