| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
Alright... I think we've made progress but still nothing. -- start /etc/pam.d/sshd -- #%PAM-1.0 auth include system-auth auth required pam_tally.so onerr=fail deny=3 auth required pam_env.so auth required pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet account required pam_nologin.so account include system-auth account required pam_tally.so password include system-auth session include system-auth session required pam_loginuid.so -- end sshd -- -- start /etc/pam.d/system-auth -- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 nullok try_first_pass use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so -- end system-auth -- -- start /etc/pam.d/system-auth.rpmnew -- #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so session required pam_limits.so session required pam_unix.so -- end system-auth.rpmnew --This is now my current (revised) setup. SSH will still let me login after many, many fails.
I noticed the .rpmnew file, should I be using that one? Thanks! Firewing1
From: Darren Tucker <dtucker@xxxxxxxxxx>Reply-To: dtucker@xxxxxxxxxx,Pluggable Authentication Modules <pam-list@xxxxxxxxxx>To: Pluggable Authentication Modules <pam-list@xxxxxxxxxx>Subject: Re: pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99Date: Mon, 6 Mar 2006 15:07:00 +1100 On Sun, Mar 05, 2006 at 11:30:57AM -0500, Stewart Adam wrote: > /etc/pam.d/systam-auth file: > -- start -- > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so [...] > Do I have to change them to "Required"? Just blindly changing "sufficient" to "required" won't do what you want since the "required pam_deny.so" will mean that you will end up disallowing all authentications. > Or would I be able to make it so that I tell my system to use pam_tally > for everything, but it will only block SSH? The safest thing to do is probably constructing a sshd PAM config file that does what you want starting with a copy of system-auth. Something like this for the auth section ought to work (untested): auth required pam_env.so auth required pam_unix.so nullok try_first_pass auth required pam_tally.so auth requisite pam_succeed_if.so uid >= 500 quiet -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
[Home] [Kernel List] [Red Hat Install] [Linux for the blind] [Red Hat Watch List] [Gimp] [Kerberos: The Definitive Guide]
|
|