Community
System Administration
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Re: User does not locked

 
Carme Torca
Super Advisor

‎06-25-2013 03:19 AM

‎06-25-2013 03:19 AM

User does not locked

I have this configuration on the server:


#  cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail
auth sufficient pam_unix.so try_first_pass
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account required pam_permit.so

password required pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok remember=10
password required pam_deny.so

session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
session required pam_unix.so


With: Red Hat Enterprise Linux Server release 5.8

 

In this configuration with deny=3, when one user put 3 wrong passwd the user locked.

 

It it possible to do that one user doesn't locked if they put 3 wrongs passwd?
How I do it?

 

Thanks a lot of!

Carmen.

Users are not too bad ;-)
0 Kudos
Reply
1 REPLY 1
Matti_Kurkela
Honored Contributor

‎06-25-2013 10:07 PM

‎06-25-2013 10:07 PM

Re: User does not locked

Your configuration actually already has a good example in it:

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet

 This line will skip the next rule if the pam_succeed_if.so conditions match, otherwise it will do nothing.

 

So add a line just before the "auth ... pam_tally2.so" line, like this:

[...]
auth  [success=1 default=ignore] pam_succeed_if.so user in someuser quiet
auth required pam_tally2.so deny=3 onerr=fail
[...]

 

If you need to exclude more than one user from pam_tally2 processing, you can use a colon-separated list of usernames,

like this: "...pam_succeed_if.so user in user1:user2:user3".

 

Or you can create a group (for example "nolock") and set the pam_succeed_if condition like this: "... pam_succeed_if.so user ingroup nolock". Then add the users that should not be locked by pam_tally2 to the "nolock" group.

MK
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.