Welcome to the Linux Foundation Forum!

Proper configuration of pam_faillock for tracking Failures across RADIUS and Local Auth

Options

I am configuring PAM authentication. I have the following requirements for the authentication flow:

Scenario:
Primary authentication method: RADIUS
Secondary authentication method: Local (UNIX)

Requirements:
1)Unified failure tracking:
pam_faillock should account for all failed login attempts — whether they happen via RADIUS or local authentication. Once the total number of failures (e.g., 4) is reached, the user account should be locked.

2)Prevent local fallback if RADIUS is available:
If the RADIUS server is reachable and responding, PAM should not attempt local authentication . Only when RADIUS is unavailable
( unreachable), it should fall back to local.

the current PAM configuration in /var/opt/tms/common-auth is as follows:
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so quiet user in root
auth [success=done new_authtok_reqd=ok ignore=ignore authinfo_unavail=ignore user_unknown=ignore default=die] pam_tacplus.so conf=/var/opt/tms/output/pam_tacplus_server.conf try_first_pass service=silverpeak protocol=ip
auth required pam_faillock.so preauth audit even_deny_root deny=4 unlock_time=300
auth sufficient pam_unix.so nullok nodelay try_first_pass
auth required pam_faillock.so authfail audit deny=4 unlock_time=300
auth required pam_deny.so

is there any configuration which statisfies my requirements?

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training