Welcome to the Linux Foundation Forum!

Lab 9.2 Locking Accounts after Excessive Login Attempts

Posts: 24
edited June 2021 in LFS216 Class Forum

I think current contents of Lab 9.2 seems not to work in CentOS8 environment, and I think the contents should be updated.
At least,

  1. pam_tally2 is absolete, instead **pam_faillock **is recommended
  2. You shouldn't modify manually password-auth/system-auth files ( it's prohibited to do so in the files)
  3. You should use **authselect **command instead ( **authconfig **is an older command)

in short, It's better to excercise this Lab

  • Use pam_faillock **, not **pam_tally2
  • Use authselect and modify configuration _indirectly _

[What I did ]

  1. create authselect user profile from current sssd profile
  1. [root@main ~]# authselect create-profile test-lab -b sssd (profile name is test-lab)
  1. change the profile to above with faillock feature
  1. [root@main ~]# authselect select custom/test-lab with-faillock without-nullok
  2. [root@main ~]# authselect current 
  3. Profile ID: custom/test-lab
  4. Enabled features:
  5. - with-faillock
  6. - without-nullok
  1. change password-auth/system-auth indirectly
  1. [root@main ~]#vim /etc/authselect/custom/test-lab/password-auth
  2. [root@main ~]#vim /etc/authselect/custom/test-lab/system-auth

i set deny counts to twice (deny=2), unlock_time to 0 (infinite) (see [Reference sites][1])

  1. apply above chaanges
  1. [root@main ~]#authselect apply-changes
  1. Try
    ( I already set password to failuser previously.)
  1. [root@main ~]# ssh failuser@localhost
  2. failuser@localhost's password: 
  3. Permission denied, please try again.
  4. failuser@localhost's password: 
  5. Permission denied, please try again.
  6. failuser@localhost's password: 
  7. failuser@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

**Note : password prompt appears 3 times. this is sshd behavior not faillock's. if you change prompt number, you add option like;

ssh failuser@localhost -o 'NumberOfPasswordPrompts 5'

  1. Check by faillock
  1. [root@main ~]# faillock 
  2. failuser:
  3. When                Type  Source                                           Valid
  4. 2021-06-27 17:43:12 RHOST ::1                                                  V
  5. 2021-06-27 17:43:15 RHOST ::1                                                  V
  6. gdm:
  7. When                Type  Source                                           Valid
  8. root:
  9. When                Type  Source                                           Valid
  10. student:
  11. When                Type  Source                                           Valid

the user "failuser" failes twice. this means the user locked. (BTW I don't know how to see the user is locked or not)

  1. Unlock the user
    [root@main ~]# faillock --user failuser --reset

[Reference sites]

[1] https://i66lab.com/User:xltran/App/CentOS/8/Administration/Authselect
[2] https://michaelpesa.com/posts/creating-custom-authselect-profiles/
[3] https://www.golinuxcloud.com/pam-faillock-lock-user-account-linux/

Comments

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Quick Links

Categories

Upcoming Training