Proper configuration of pam_faillock for tracking Failures across RADIUS and Local Auth
I am configuring PAM authentication. I have the following requirements for the authentication flow:
Scenario:
Primary authentication method: RADIUS
Secondary authentication method: Local (UNIX)
Requirements:
1)Unified failure tracking:
pam_faillock should account for all failed login attempts — whether they happen via RADIUS or local authentication. Once the total number of failures (e.g., 4) is reached, the user account should be locked.
2)Prevent local fallback if RADIUS is available:
If the RADIUS server is reachable and responding, PAM should not attempt local authentication . Only when RADIUS is unavailable
( unreachable), it should fall back to local.
the current PAM configuration in /var/opt/tms/common-auth is as follows:
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so quiet user in root
auth [success=done new_authtok_reqd=ok ignore=ignore authinfo_unavail=ignore user_unknown=ignore default=die] pam_tacplus.so conf=/var/opt/tms/output/pam_tacplus_server.conf try_first_pass service=silverpeak protocol=ip
auth required pam_faillock.so preauth audit even_deny_root deny=4 unlock_time=300
auth sufficient pam_unix.so nullok nodelay try_first_pass
auth required pam_faillock.so authfail audit deny=4 unlock_time=300
auth required pam_deny.so
is there any configuration which statisfies my requirements?
Categories
- All Categories
- 175 LFX Mentorship
- 175 LFX Mentorship: Linux Kernel
- 745 Linux Foundation IT Professional Programs
- 372 Cloud Engineer IT Professional Program
- 168 Advanced Cloud Engineer IT Professional Program
- 73 DevOps IT Professional Program - Discontinued
- 3 DevOps & GitOps IT Professional Program
- 98 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- AI & ML Training
- Blockchain & Decentralized Identity Training
- Cloud & Containers Training
- Cybersecurity Training
- DevOps & Site-Reliability Training
- Linux Kernel Development Training
- Networking Training
- Open Source Best Practice Training
- System Administration Training
- System Engineering Training
- Web & Application Development Training
- 2 LFD103-JP クラス フォーラム
- 4 LFD210-CN Class Forum
- 764 LFD259 Class Forum
- 681 LFS101 Class Forum
- 2 LFS158-JP クラス フォーラム
- 162 LFS207 Class Forum
- 3 LFS207-DE-Klassenforum
- 4 LFS207-JP クラス フォーラム
- 61 LFS241 Class Forum
- 52 LFS242 Class Forum
- 42 LFS243 Class Forum
- 19 LFS244 Class Forum
- 4 LFS250-JP クラス フォーラム
- 166 LFS253 Class Forum
- 19 LFS256 Class Forum
- 1.4K LFS258 Class Forum
- 165 LFS261 Class Forum
- 26 LFS267 Class Forum
- 792 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 87 Storage
- 768 Linux Distributions
- 81 Debian
- 67 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 105 Mobile Computing
- 18 Android
- 72 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 392 Off Topic
- 121 Introductions
- 181 Small Talk
- 29 Study Material
- 944 Programming and Development
- 310 Kernel Development
- 616 Software Development
- 976 Software
- 368 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)