06-30-2010
From the man page of pam_tally
Quote:
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
In my interpretation (tho I'm not sure) this means that lock_time will block access for a certain time after
each failed attempt, which would be useful to slow down a brute-force attack. unlock_time, however, sets the time until an account is automatically unlocked after the maximum number of tries.
This User Gave Thanks to pludi For This Post:
10 More Discussions You Might Find Interesting
1. Solaris
passwd only changes the password but i need to change the user name
tnx (5 Replies)
Discussion started by: umen
5 Replies
2. UNIX for Dummies Questions & Answers
I have access to 15+ UNIX boxes at work, and I do not consistently log onto all of them over time. When I do try to access one I havent been on in awhile, my account is locked as the password has expired.
I need to request to the UNIX SA's that the password expiration is 90 days and that if it... (1 Reply)
Discussion started by: stringzz
1 Replies
3. UNIX for Dummies Questions & Answers
Thanks
AVKlinux (3 Replies)
Discussion started by: avklinux
3 Replies
4. Debian
hello friends,
one user is created named "user1"
I login as "user1" . Now when i do "su -" to be root user I have to give password for root .
Is there any way through which we can skip giving the password to root.
i.e.
user1@work:~$ su -
Password: xxxxxx
work:~$
I don't want that... (1 Reply)
Discussion started by: pradeepreddy
1 Replies
5. Shell Programming and Scripting
I am trying to create a shell script that will:
check if a specific user already exists
if not, create a specific group and create the user in that group
assign a password to that user, where the password is passed in as a parameter to the script
The problem that I need help with is 3 on... (4 Replies)
Discussion started by: killuane
4 Replies
6. Solaris
Hi Everyone, my name`s Sergio.
I need your help please. I have a problem using Solaris 9. I create an account with the command line "useradd", with this I have no problem.
My problem is I need set the created account to NP (No Password or Non Login). For example:
cat /etc/shadow
... (2 Replies)
Discussion started by: roswell
2 Replies
7. Shell Programming and Scripting
Hi All,
I have one requirment..
I need to change my id to some sudo account in a server.. Actually our username/passwd will be stored in one gip file like below...
$cat .a.gz #It's hidden file
username
passwd
$
So I tried the below script to pass the password when i sudo to... (7 Replies)
Discussion started by: raghu.iv85
7 Replies
8. Shell Programming and Scripting
I need some help creating a condition for looking up hosts. I have this master host file that has data in the following columns:
FQDN primary IP secondary IP third IP
I need the hostnames to feed into another script I use for provisioning users. The FQDN doesn't always work for... (2 Replies)
Discussion started by: MaindotC
2 Replies
9. Red Hat
Dear All ,
I have created a user named X and gave sudo permissions for it , So that it can access some commands as root.
This particular user can login to the server using SSH login through putty any where with in the network.
But there is some issue , when the same user is trying from... (4 Replies)
Discussion started by: jegaraman
4 Replies
10. Forum Support Area for Unregistered Users & Account Problems
Neo
Thanks for your reply to my original post, entitled "Problem changing the email address associated with my unix.com account".
I am unable to reply to you in that thread, as I am unable to log-on to unix.com!
From what you said about purging dormant accounts, it is likely that my account... (1 Reply)
Discussion started by: irb
1 Replies
LEARN ABOUT CENTOS
system-auth-ac
SYSTEM-AUTH-AC(5) File Formats Manual SYSTEM-AUTH-AC(5)
NAME
system-auth-ac, password-auth-ac, smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration files for PAMified services
written by authconfig(8)
SYNOPSIS
/etc/pam.d/system-auth-ac
DESCRIPTION
The purpose of this configuration file is to provide common configuration file for all applications and service daemons calling PAM
library.
The system-auth configuration file is included from all individual service configuration files with the help of the include directive. When
authconfig(8) writes the system PAM configuration file it replaces the default system-auth file with a symlink pointing to system-auth-ac
and writes the configuration to this file. The symlink is not changed on subsequent configuration changes even if it points elsewhere. This
allows system administrators to override the configuration written by authconfig.
The authconfig now writes the authentication modules also into additional PAM configuration files /etc/pam.d/password-auth-ac,
/etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac. These configuration files contain only modules which perform authentica-
tion with the respective kinds of authentication tokens. For example /etc/pam.d/smartcard-auth[-ac] will not contain pam_unix and pam_ldap
modules and /etc/pam.d/password-auth[-ac] will not contain pam_pkcs11 and pam_fprintd modules.
The file /etc/pam.d/postlogin-ac contains common services to be invoked after login. An example can be a module that encrypts an user's
filesystem or user's keyring and is decrypted by his password.
The PAM configuration files of services which are accessed by remote connections such as sshd or ftpd now include the /etc/pam.d/password-
auth configuration file instead of /etc/pam.d/system-auth.
EXAMPLE
Configure system to use pam_tally2 for configuration of maximum number of failed logins. Also call pam_access to verify if access is
allowed.
Make system-auth symlink point to system-auth-local which contains:
auth requisite pam_access.so
auth requisite pam_tally2.so deny=3 lock_time=30
unlock_time=3600
auth include system-auth-ac
account required pam_tally2.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
BUGS
None known.
SEE ALSO
authconfig(8), authconfig-gtk(8), pam(8), system-auth(5)
Red Hat, Inc. 2010 March 31 SYSTEM-AUTH-AC(5)