Use the Pam_tally2 module to realize the need to lock the account after multiple password errors, adding pam_tally2 rule in/etc/pam.d/common-auth
Auth Required pam_tally2.so deny=5
After the configuration is completed with login or SSH authentication, when the user incorrectly entered the password 5 times, the account will be locked for 10 seconds; After unlocking the account, enter the correct password and the Pam_tally2 counter is zeroed.
The command to view the counter is as follows:
Pam_tally2-u Admin
The results appear as follows:
Pam_tally2-u Admin Login Failures Latest failure from admin 2 04/10/14 11:21:16/dev/pt s/0
However, when using sudo, it is found that the counter can not be cleared normally, as long as sudo is executed, the counter is accumulated, not zeroed, unless the command is manually cleared.
Pam_tally2-u Admin--reset
Locked behavior also becomes non-chapter-based, after several executions, the account will be locked.
[[email protected] root]$ sudo bash -c "ECHO AAA" [sudo] password for admin: Sorry, try again. [sudo] password for admin: sorry, try again. [sudo] password for admin: sorry, try again. [sudo] password for admin: aaa [[email protected] root]$ sudo bash -c "ECHO AAA" [sudo] password for admin: sorry, try again. your account is locked. maximum amount of Failed attempts was reached. [sudo] password for admin:
I can see that I entered the password correctly in the fourth time, the screen printed "AAA", but when I entered the wrong password again, my account was locked. View counter failed more than 5 times
#pam_tally2-u admin Login failures Latest failure from admin 6 04/10/14 11:27:14/dev/pts /0
This problem is redhat a bug, can find the bug number, there is a temporary solution, the latest sudo version should have solved the problem
https://bugzilla.redhat.com/show_bug.cgi?id=707660
The workaround is to add the following line configuration in the account segment of the System-auth configuration file
Account Required Pam_tally2.so
This allows the counter to clear zero each time sudo enters the correct password. Pam_tally2 's documentation explains this:
Account phase resets attempts counter if the user was not magic root. This phase can is used optionally for services which don ' t call pam_setcred (3) correctly or if the reset should is done re Gardless of the failure of the phase of other modules. "
One possible cause of this problem is that the Sudo module closes the session of Pam before performing a specific action, does not correctly call pam_setcred (), causes the error code to return failure, and the pam_tally2 counter accumulates.
This problem is redhat a bug, can find the bug number, there is a temporary solution, the latest sudo version should have solved the problem
https://bugzilla.redhat.com/show_bug.cgi?id=707660
Solutions
In the Common-auth configuration file,
"Auth required pam_tally2.so deny=5" line after adding
Account Segment Add the following line configuration
Account Required Pam_tally2.so
Add another problem that is found:
There seems to be a lot of problems with Sudo and pam_tally2, recently there is a problem that after entering the wrong password 5 times, the account is locked, waiting for timeout, the first time after the end of the timeout even if the correct password, but also prompted "Sorry, try again", the second input before passing. Experiment for a half-day, did not see pam_tally code, feeling seems to have a bug, but there is a solution, is the back of the Pam_uinx mentioned pam_tally before, because it is sufficient, so as long as the passage, will not go pam_tally, problem solving. However, swapping the location will cause the pam_tally counter to not clear and may have other side effects.
Also, the previous configuration has an error, rhel5 pam_tally does not support the "no_magic_root" parameter, removed the
This article is from the "Instant over" blog, please be sure to keep this source http://misliang.blog.51cto.com/6973084/1710403
Ubuntu about the Pam_tally2 counter increases every time sudo is a bug