User does not locked

Carme Torca · ‎06-25-2013

I have this configuration on the server:

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail
auth sufficient pam_unix.so try_first_pass
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account required pam_permit.so

password required pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok remember=10
password required pam_deny.so

session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
session required pam_unix.so

With: Red Hat Enterprise Linux Server release 5.8

In this configuration with deny=3, when one user put 3 wrong passwd the user locked.

It it possible to do that one user doesn't locked if they put 3 wrongs passwd?
How I do it?

Thanks a lot of!

Carmen.

Users are not too bad ;-)

Matti_Kurkela · ‎06-25-2013

Your configuration actually already has a good example in it:

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet

This line will skip the next rule if the pam_succeed_if.so conditions match, otherwise it will do nothing.

So add a line just before the "auth ... pam_tally2.so" line, like this:

[...]
auth  [success=1 default=ignore] pam_succeed_if.so user in someuser quiet
auth required pam_tally2.so deny=3 onerr=fail
[...]

If you need to exclude more than one user from pam_tally2 processing, you can use a colon-separated list of usernames,

like this: "...pam_succeed_if.so user in user1:user2:user3".

Or you can create a group (for example "nolock") and set the pam_succeed_if condition like this: "... pam_succeed_if.so user ingroup nolock". Then add the users that should not be locked by pam_tally2 to the "nolock" group.

MK

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

User does not locked

User does not locked

Re: User does not locked