Lab 9.2 Locking Accounts after Excessive Login Attempts

m.taniguchi

I think current contents of Lab 9.2 seems not to work in CentOS8 environment, and I think the contents should be updated.
At least,

1. pam_tally2 is absolete, instead **pam_faillock **is recommended
2. You shouldn't modify manually password-auth/system-auth files ( it's prohibited to do so in the files)
3. You should use **authselect **command instead ( **authconfig **is an older command)

in short, It's better to excercise this Lab

• Use pam_faillock **, not **pam_tally2
• Use authselect and modify configuration _indirectly _

[What I did ]

1. create authselect user profile from current sssd profile

[root@main ~]# authselect create-profile test-lab -b sssd (profile name is test-lab) 

2. change the profile to above with faillock feature

[root@main ~]# authselect select custom/test-lab with-faillock without-nullok
[root@main ~]# authselect current 
Profile ID: custom/test-lab
Enabled features:
- with-faillock
- without-nullok

3. change password-auth/system-auth indirectly

[root@main ~]#vim /etc/authselect/custom/test-lab/password-auth
[root@main ~]#vim /etc/authselect/custom/test-lab/system-auth 

i set deny counts to twice (deny=2), unlock_time to 0 (infinite) (see [Reference sites][1])

4. apply above chaanges

[root@main ~]#authselect apply-changes 

5. Try
   ( I already set password to failuser previously.)

[root@main ~]# ssh failuser@localhost
failuser@localhost's password: 
Permission denied, please try again.
failuser@localhost's password: 
Permission denied, please try again.
failuser@localhost's password: 
failuser@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

**Note : password prompt appears 3 times. this is sshd behavior not faillock's. if you change prompt number, you add option like;

ssh failuser@localhost -o 'NumberOfPasswordPrompts 5'

6. Check by faillock

[root@main ~]# faillock 
failuser:
When                Type  Source                                           Valid
2021-06-27 17:43:12 RHOST ::1                                                  V
2021-06-27 17:43:15 RHOST ::1                                                  V
gdm:
When                Type  Source                                           Valid
root:
When                Type  Source                                           Valid
student:
When                Type  Source                                           Valid

the user "failuser" failes twice. this means the user locked. (BTW I don't know how to see the user is locked or not)

7. Unlock the user
   [root@main ~]# faillock --user failuser --reset

[Reference sites]

[1] https://i66lab.com/User:xltran/App/CentOS/8/Administration/Authselect
[2] https://michaelpesa.com/posts/creating-custom-authselect-profiles/
[3] https://www.golinuxcloud.com/pam-faillock-lock-user-account-linux/

lee42x

Thank you for the input.

Lee