topic lock an user account in Operating System - Linux

lock an user account

Arun Jain — Mon, 02 Aug 2010 09:18:05 GMT

Hi All,

I have "Red Hat Enterprise Linux Server release 5.5 (Tikanga)" on an Itanium Machine.

I want to set user privilege such that when a user attempts certain amount of unsuccessful logins, his account gets locked.

Regards
Arun Jain

Re: lock an user account

Ishwar_1 — Mon, 02 Aug 2010 09:48:31 GMT

From GUI you can configure through "Users & Groups" Optin in Administrative Menu. Or from X Window use the Command system-config-users this will give you the menu based screen.

For Command Base Configuration follow the below link for reference.

http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-log-failed-login.html

Re: lock an user account

bullz — Mon, 02 Aug 2010 12:00:21 GMT

Check out file /etc/pam.d/system-auth

and edit the below line

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root deny=3

this defines that when the user trying to login with unsuccessful logins for 3 times, user gets locked.

To unlock faillog -r -a

Re: lock an user account

Wilfred Chau_1 — Mon, 02 Aug 2010 16:11:19 GMT

along with the pam settings. vi /etc/login.defs and change LOGIN_RETRIES from 5 to 3.

Re: lock an user account

bullz — Tue, 03 Aug 2010 14:08:24 GMT

Still the thread is not closed? Do u except some more, please post you view.

Re: lock an user account

Ishwar_1 — Wed, 04 Aug 2010 18:25:17 GMT

Configure Policy to track and log failed login attempt recoreds.

/var/log/faillog file were log gets generated.PAM Configuration to recored failed login attempts. Open /etc/pam.d/system-auth file:

[root@rac1 ishwar]# vi /etc/pam.d/system-auth

Append following 2 entry of pam_tally.so modules:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180

How to unlock the Lock Account
Syntax :-
/sbin/pam_tally: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]

[root@rac1 ishwar]# /sbin/pam_tally --user vivek --reset --quiet

How do I display all failed login attempts for user vivek?

[root@rac1 ishwar]# faillog -u vivek

Login Failures Maximum Latest On
vivek 3 0 12/19/07 14:12:53 -0600 64.11.xx.yy

Display faillog records for all users.
Use the -a option:

[root@rac1 ishwar]# faillog -a

How do I reset the counters of login failures?
The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:

[root@rac1 ishwar]# faillog -r
[root@rac1 ishwar]# faillog -r -u vivek <-- only reset counter for vivek user

Re: lock an user account

Steven E. Protter — Wed, 04 Aug 2010 18:59:55 GMT

Shalom,

To do this, you will need to write a shell script that checks output from lastb and issues a passwd -l command.

Or you can install a third party product like E-trust.

Or you can use a ldap/nis central login server that can be configured to this task.

Linux out of the box seems to just let bad logins go on, and on and on and on...etc

SEP