Welcome to the Linux Foundation Forum!

Lab 36.1 - PAM module

Elyas
Elyas Posts: 28

I use Ubuntu and try to follow the steps described in the lab.

I unfortunately cannot make use of PAM.

I inserted the lines that were given

auth required pam_tally2.so deny=3 onerr=fail
account required pam_tally2.so

into the /etc/pam.d/sshd file, but after three failed attempts I can login via SSH successfully. The command sudo pam_tally2 does not display anything neither.

Maybe I need to put the two lines in a proper place in the file (if the order does matter)?

Can anyone help me with that? Any advices?

Comments

  • Elyas
    Elyas Posts: 28
    edited February 2016
    On CentOS 7 it just works as described in the lab.

    I think I solved it on Ubuntu. You might need to adapt the /etc/ssh/sshd_config file.

    First of all you should activate PAM for SSH:
    UsePAM yes
    

    Then you should make sure the following lines are as follows (I don't understand exactly why or what those lines do exactly, but it works that way):
    ChallengeResponseAuthentication yes
    PasswordAuthentication no
    

    Once this is done simply follow the lab instructions and it should work as expected.
  • Hi Elyas,

    I'm glad that you were able to solve the issue. It's common to find some differences between distros, so be sure that you will find more within time.

    You can find more information about PAM here:

    http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html

    Regards,
    Luis.
  • dbuday
    dbuday Posts: 17

    It doesn't solve it here.

    I'm using Ubuntu 14.04 and have the same problem.

     

    I've added those lines, but nothing happens.

    pam_tally2 doesn't report any login Failures (counter is always at 0).

    UsePAM yes is already uncommented in /etc/ssh/sshd_config (very last line)

    I also tried restarting ssh service - no help there.

    I tried loggging in console (tty3 - i always use 1 and 2) - nothing.

    Any ideas?

  • luisviveropena
    luisviveropena Posts: 1,249
    edited June 2016

    Hi, I'm going to do a test on Ubuntu 14.04 and I'll let you know what I found.

    Regards,

    Luis.

  • vam
    vam Posts: 6
    edited July 2016

    ubuntu 14.04, openssh-server, confirmed not working

    editing options doesn't work

  • Ajlinux
    Ajlinux Posts: 1
    edited September 2016

    Hi

    Hope you are well.

    Do we have instruction updates on this.  Need to resolve this for the labs.

     

    Thanks

    AJ

  • luisviveropena
    luisviveropena Posts: 1,249
    edited September 2016

    Hi,

    I did the test on Ubuntu 14.04 and in fact it didn't work. I'll see if I can troubleshoot it. And as reported, pam_tally2 doesn't report any login issues.

    Regards,

    Luis.

  • Hi,

    I got it to work with the following _in the begining of the configuration file_ :

    auth required pam_tally2.so deny=3 onerr=fail

    @include common-auth

    account required pam_tally2.so 

    [...]

    Regards,

    Luis.

  • While pam_tally2 -u username reports the failed logins, it doesn't actually lock the account for me.  Are you sure the configuration you used locks the account after 3 failed attempts? 

    Thanks

    Harry

  • The above setting will report correctly the failed logins.  However, it doesn't really lock the account.  Are there any other files to be edited in addition to the sshd file?

    Thanks.

    Harry

  • Hi,

    Yes, it locked the account for me. In fact I was unable to connect by ssh and I received an error message.

    Regards,

    Luis.

Categories

Upcoming Training