Linux PAM User Login authentication

Source: Internet
Author: User
Tags system log

PAM (pluggable authentication Modules) is a certification mechanism presented by Sun. It separates the services provided by the system and the authentication of the service by providing some dynamic link libraries and a unified set of APIs, allowing system administrators the flexibility to configure different authentication methods for different services as needed without changing the service program, while also facilitating the addition of new authentication methods to the system. From the beginning of this article will summarize some of the common Pam module and its implementation functions, today is about the Pam_tally2 module.

I. Parameters and Scenarios

Scenario: Set the Linux user to log in continuously n times, automatically lock x minutes or permanent lock (permanent lock is the lock unless manually unlocked).

Configuration format:


pam_tally2.so [File=/path/to/counter] [onerr=[fail|succeed]] [magic_root] [even_deny_root] [deny=n] [lock_time=n] [ Unlock_time=n]

[Root_unlock_time=n] [Serialize] [Audit] [Silent] [No_log_info]



Parameter correlation:

1. Global Parameters



    • The file is used to specify the location where the statistics are stored, and is saved in the/var/log/tallylog file by default;

    • Onerr When an accident occurs, the pam_success or PAM error code is returned, which is generally not configured;

    • Audit if the logged-on user does not exist, the access information is written to the system log;

    • Silent silent mode, do not output any log information;

    • No_log_info does not print log information via syslog



The above five global parameters, generally in use, do not need to be configured separately.

2. Authentication Options


  • Deny: Specifies the maximum number of authentication errors, and if this error is exceeded, the subsequent policy is executed. such as lock n seconds, if no other policy is specified later, the default is always locked, unless manually unlocked.

  • Lock_time: how long to lock, in seconds;

  • Unlock_time: Specifies how long the user is automatically unlocked after the authentication is locked;

  • Magic_root: If the user uid=0 (that is, the root account or the equivalent of root account) when the account authentication call the module discovery failure, not counted;

  • No_lock_time: personal understanding that the user is not locked;

  • Even_deny_root: The root user is locked in the same way when the authentication error occurs (this feature is used with caution, and is unlocked when a single user is not available)

  • Root_unlock_time: How long the root user locks up when it fails. This option is generally used in conjunction with Even_deny_root.


Ii. Examples of Use
1. Example:


Auth Required pam_tally2.so deny=3 unlock_time=5 even_deny_root root_unlock_time=10


Up to three consecutive authentication login errors, after 5 seconds to unlock, the root user can also be locked, the root user after 10 seconds to unlock.

The/etc/pam.d/login configuration only restricts the local text terminal;

/ETC/PAM.D/KDE is limited when it is configured to be called at the KDE graphical interface;

/etc/pam.d/sshd in the configuration when the SSH connection is limited;

Any service that invokes the System-auth file in the/etc/pam.d/system-auth will take effect.

The following is an example of a login called by a Pam under the Pam_tally2 Man Handbook:



Auth Required pam_securetty.so
Auth Required pam_tally2.so deny=4 even_deny_root unlock_time=1200
Auth Required pam_env.so
Auth Required pam_unix.so
Auth Required pam_nologin.so
Account Required Pam_unix.so
Password Required pam_unix.so
Session Required Pam_limits.so
Session Required Pam_unix.so
Session Required Pam_lastlog.so Nowtmp
Session Optional Pam_mail.so Standard



Note: The difference between the Pam_tally2 and the Pam_tally module is that the former increases the automatic unlocking time function, the latter does not. So in the old release, if you use the Pam_tally module, you can use pam_tally, faillog with crontab for automatic unlocking.


2. Unlock and view failed

You can view the number of errors and details of 361way user logons using the following instructions:


Pam_tally2--user 361wat


You can use the following command to clear the number of incorrect logons for 361way users, which is manually unlocked:


Pam_tally2--user 361way--reset


Similarly, using the faillog-r command can also be used to solve


This article is from "Desert Camel" blog, please make sure to keep this source http://maomaochong.blog.51cto.com/9260445/1833015

Linux PAM User Login authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.