cancel
Showing results for 
Search instead for 
Did you mean: 

User does not locked

Carme Torca
Super Advisor

User does not locked

I have this configuration on the server:


#  cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_tally2.so deny=3 onerr=fail
auth sufficient pam_unix.so try_first_pass
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account required pam_permit.so

password required pam_cracklib.so retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 minlen=8
password sufficient pam_unix.so md5 shadow try_first_pass use_authtok remember=10
password required pam_deny.so

session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
session required pam_unix.so


With: Red Hat Enterprise Linux Server release 5.8

 

In this configuration with deny=3, when one user put 3 wrong passwd the user locked.

 

It it possible to do that one user doesn't locked if they put 3 wrongs passwd?
How I do it?

 

Thanks a lot of!

Carmen.

Users are not too bad ;-)
1 REPLY
Matti_Kurkela
Honored Contributor

Re: User does not locked

Your configuration actually already has a good example in it:

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet

 This line will skip the next rule if the pam_succeed_if.so conditions match, otherwise it will do nothing.

 

So add a line just before the "auth ... pam_tally2.so" line, like this:

[...]
auth  [success=1 default=ignore] pam_succeed_if.so user in someuser quiet
auth required pam_tally2.so deny=3 onerr=fail
[...]

 

If you need to exclude more than one user from pam_tally2 processing, you can use a colon-separated list of usernames,

like this: "...pam_succeed_if.so user in user1:user2:user3".

 

Or you can create a group (for example "nolock") and set the pam_succeed_if condition like this: "... pam_succeed_if.so user ingroup nolock". Then add the users that should not be locked by pam_tally2 to the "nolock" group.

MK