HPE Community
Operating System - Linux
1752351 Members
5331 Online
108787 Solutions
New Discussion юеВ

Re: pam_tally entries in /etc/pam.d/system-auth

 
SOLVED
Go to solution
MikeL_4
Super Advisor

тАО02-15-2008 05:35 PM

тАО02-15-2008 05:35 PM

pam_tally entries in /etc/pam.d/system-auth

I need to add two lines at our autitors suggestion to several servers in our Red Hat Linux environmnet..

auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset

Do these lines have to be grouped with the other "auth" and "account" lines in the file, or can I just append them to the end of the file ????

To append would be alot easier to do than to figure out the line to add the new lines to the file and insert them..

Thanks
0 Kudos
4 REPLIES 4
Matti_Kurkela
Honored Contributor

тАО02-16-2008 03:54 AM

тАО02-16-2008 03:54 AM

Solution

Re: pam_tally entries in /etc/pam.d/system-auth

The most accurate possible answer would be: it depends on your existing configuration.

See: http://www.linux.com/articles/113567

In short, if you have lines beginning with "auth requisite" and/or "account requisite", the ordering will affect which failures are counted and which are not.

Suggestion: learn to use the "diff" and "patch" tools.

For example:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.backup
# vi /etc/pam.d/system-auth
# cd /
# diff -u /etc/pam.d/system-auth.backup /etc/pam.d/system-auth >/tmp/pam-settings-change.patch

Now copy /tmp/pam-settings-change.patch to another host, and run:
# cd /
# patch -p0
...and the "patch" tool will apply the change you made on the first host to the second host.
Repeat with 98 other hosts :-)

MK
MK
0 Kudos
MikeL_4
Super Advisor

тАО02-17-2008 11:38 AM

тАО02-17-2008 11:38 AM

Re: pam_tally entries in /etc/pam.d/system-auth

Tried and received the following error:

[root-(OASIS) ~]# patch -p0 patching file /etc/pam.d/system-auth
Hunk #1 FAILED at 4.
1 out of 1 hunk FAILED -- saving rejects to file /etc/pam.d/system-auth.rej
[root-(OASIS) ~]#
0 Kudos
Matti_Kurkela
Honored Contributor

тАО02-19-2008 03:18 AM

тАО02-19-2008 03:18 AM

Re: pam_tally entries in /etc/pam.d/system-auth

That means the "patch" tool did not find a matching location to add the lines. As there was only one set of changes to apply and that one set failed, the rejects file will essentially be a copy of the pam-settings-change.patch file. No changes was made to the /etc/pam.d/system-auth, although the patch tool might have already made a backup with the name /etc/pam.d/system-auth.orig.

The contents of the /etc/pam.d/system-auth file on your first host must be significantly different from the one in the second host. In that case, there is really no reliable way to apply the change automatically.

MK
MK
0 Kudos
MikeL_4
Super Advisor

тАО02-19-2008 09:44 AM

тАО02-19-2008 09:44 AM

Re: pam_tally entries in /etc/pam.d/system-auth

Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.