https://community.hpe.com/t5/operating-system-linux/user-does-not-locked/m-p/6113801#M54352 <P>I have this configuration on the server:</P><P><BR />#&nbsp; cat /etc/pam.d/system-auth<BR />#%PAM-1.0<BR /># This file is auto-generated.<BR /># User changes will be destroyed the next time authconfig is run.</P><P>auth required pam_env.so<BR />auth required pam_tally2.so deny=3 onerr=fail<BR />auth sufficient pam_unix.so try_first_pass<BR />auth required pam_deny.so</P><P>account required pam_unix.so<BR />account required pam_tally2.so<BR />account required pam_permit.so</P><P>password required pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8<BR />password sufficient pam_unix.so md5 shadow try_first_pass use_authtok remember=10<BR />password required pam_deny.so</P><P>session required pam_limits.so<BR />session [success=1 default=ignore] pam_succeed_if.so service in crond quiet<BR />session required pam_unix.so</P><P><BR />With: Red Hat Enterprise Linux Server release 5.8</P><P>&nbsp;</P><P>In this configuration with deny=3, when one user put 3 wrong passwd the user locked.</P><P>&nbsp;</P><P>It it possible to do that one user doesn't locked if they put 3 wrongs passwd?<BR />How I do it?</P><P>&nbsp;</P><P>Thanks a lot of!</P><P>Carmen.</P> Tue, 25 Jun 2013 10:19:49 GMT Carme Torca 2013-06-25T10:19:49Z https://community.hpe.com/t5/operating-system-linux/user-does-not-locked/m-p/6113801#M54352 <P>I have this configuration on the server:</P><P><BR />#&nbsp; cat /etc/pam.d/system-auth<BR />#%PAM-1.0<BR /># This file is auto-generated.<BR /># User changes will be destroyed the next time authconfig is run.</P><P>auth required pam_env.so<BR />auth required pam_tally2.so deny=3 onerr=fail<BR />auth sufficient pam_unix.so try_first_pass<BR />auth required pam_deny.so</P><P>account required pam_unix.so<BR />account required pam_tally2.so<BR />account required pam_permit.so</P><P>password required pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8<BR />password sufficient pam_unix.so md5 shadow try_first_pass use_authtok remember=10<BR />password required pam_deny.so</P><P>session required pam_limits.so<BR />session [success=1 default=ignore] pam_succeed_if.so service in crond quiet<BR />session required pam_unix.so</P><P><BR />With: Red Hat Enterprise Linux Server release 5.8</P><P>&nbsp;</P><P>In this configuration with deny=3, when one user put 3 wrong passwd the user locked.</P><P>&nbsp;</P><P>It it possible to do that one user doesn't locked if they put 3 wrongs passwd?<BR />How I do it?</P><P>&nbsp;</P><P>Thanks a lot of!</P><P>Carmen.</P> Tue, 25 Jun 2013 10:19:49 GMT https://community.hpe.com/t5/operating-system-linux/user-does-not-locked/m-p/6113801#M54352 Carme Torca 2013-06-25T10:19:49Z https://community.hpe.com/t5/operating-system-linux/user-does-not-locked/m-p/6114923#M54353 <P>Your configuration actually already has a good example in it:</P><PRE>session [success=1 default=ignore] pam_succeed_if.so service in crond quiet</PRE><P>&nbsp;This line will skip the next rule if the pam_succeed_if.so conditions match, otherwise it will do nothing.</P><P>&nbsp;</P><P>So add a line just before the "auth ... pam_tally2.so" line, like this:</P><PRE>[...] auth [success=1 default=ignore] pam_succeed_if.so user in someuser quiet auth required pam_tally2.so deny=3 onerr=fail [...]</PRE><P>&nbsp;</P><P>If you need to exclude more than one user from pam_tally2 processing, you can use a colon-separated list of usernames,</P><P>like this: "...pam_succeed_if.so user in user1:user2:user3".</P><P>&nbsp;</P><P>Or you can create a group (for example "nolock") and set the pam_succeed_if condition like this: "... pam_succeed_if.so user ingroup nolock". Then add the users that should not be locked by pam_tally2 to the "nolock" group.</P> Wed, 26 Jun 2013 05:07:29 GMT https://community.hpe.com/t5/operating-system-linux/user-does-not-locked/m-p/6114923#M54353 Matti_Kurkela 2013-06-26T05:07:29Z