cancel
Showing results for 
Search instead for 
Did you mean: 

lock an user account

Arun Jain
Frequent Advisor

lock an user account

Hi All,

I have "Red Hat Enterprise Linux Server release 5.5 (Tikanga)" on an Itanium Machine.

I want to set user privilege such that when a user attempts certain amount of unsuccessful logins, his account gets locked.

Regards
Arun Jain
speak less say more
6 REPLIES
Ishwar_1
Frequent Advisor

Re: lock an user account

From GUI you can configure through "Users & Groups" Optin in Administrative Menu. Or from X Window use the Command system-config-users this will give you the menu based screen.

For Command Base Configuration follow the below link for reference.

http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-log-failed-login.html
bullz
Super Advisor

Re: lock an user account

Check out file /etc/pam.d/system-auth

and edit the below line

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root deny=3

this defines that when the user trying to login with unsuccessful logins for 3 times, user gets locked.

To unlock faillog -r -a
Wilfred Chau_1
Respected Contributor

Re: lock an user account

along with the pam settings. vi /etc/login.defs and change LOGIN_RETRIES from 5 to 3.
bullz
Super Advisor

Re: lock an user account

Still the thread is not closed? Do u except some more, please post you view.
Ishwar_1
Frequent Advisor

Re: lock an user account

Configure Policy to track and log failed login attempt recoreds.

/var/log/faillog file were log gets generated.PAM Configuration to recored failed login attempts. Open /etc/pam.d/system-auth file:

[root@rac1 ishwar]# vi /etc/pam.d/system-auth

Append following 2 entry of pam_tally.so modules:

auth required pam_tally.so no_magic_root
account required pam_tally.so deny=3 no_magic_root lock_time=180


How to unlock the Lock Account
Syntax :-
/sbin/pam_tally: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]

[root@rac1 ishwar]# /sbin/pam_tally --user vivek --reset --quiet


How do I display all failed login attempts for user vivek?

[root@rac1 ishwar]# faillog -u vivek

Login Failures Maximum Latest On
vivek 3 0 12/19/07 14:12:53 -0600 64.11.xx.yy

Display faillog records for all users.
Use the -a option:

[root@rac1 ishwar]# faillog -a

How do I reset the counters of login failures?
The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:

[root@rac1 ishwar]# faillog -r
[root@rac1 ishwar]# faillog -r -u vivek <-- only reset counter for vivek user



Steven E. Protter
Exalted Contributor

Re: lock an user account

Shalom,

To do this, you will need to write a shell script that checks output from lastb and issues a passwd -l command.

Or you can install a third party product like E-trust.

Or you can use a ldap/nis central login server that can be configured to this task.

Linux out of the box seems to just let bad logins go on, and on and on and on...etc

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com