HPE Community
Operating System - HP-UX
1821260 Members
2937 Online
109632 Solutions
New Discussion юеВ

Account Locked message from PAM

 
ian Dennison
Regular Advisor

тАО02-03-2004 10:30 PM

тАО02-03-2004 10:30 PM

Account Locked message from PAM

Have a problem, in that I can lock an account but not get warned about it in the log files.

We are using PAM authentification, but I cannot find anything in the man pages or forums about this. Any hints on how to get account lockouts reported into syslog?

Thanks, Ian
Lets do it to them before they do it to us! www.fred.net.nz
0 Kudos
Reply
5 REPLIES 5
Andrew Cowan
Honored Contributor

тАО02-05-2004 01:28 AM

тАО02-05-2004 01:28 AM

Re: Account Locked message from PAM

HI Ian,

I've been trying to do this kind of thing and on AIX the answer is:
To enable PAM debug output, follow these steps:
1. Create an empty file named ├в /etc/pam_debug├в . The PAM library checks for the existence of ├в /etc/pam_debug├в file. If found, it enables syslog output.
# touch /etc/pam_debug
2. Edit the ├в /etc/syslog.conf├в file to contain the appropriate entries for the desired levels of messages. To capture debug information for authentication calls, use auth.debug and send the output to a file. The following example line is in the ├в syslog.conf├в file that sends the authentication debug information to a file:
auth.debug /tmp/syslog_auth.log
3. Restart the syslogd daemon so that the configuration changes made in
├в /etc/syslogd.conf├в are recognized:

I think that this should work in
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО02-05-2004 01:30 AM

тАО02-05-2004 01:30 AM

Re: Account Locked message from PAM

I don't know why but my message has got a little corrupted when I did the post, but hopefully HP-UX should work in a very similar way?

Good luck,
Andrew
0 Kudos
Reply
ian Dennison
Regular Advisor

тАО02-09-2004 09:18 PM

тАО02-09-2004 09:18 PM

Re: Account Locked message from PAM

Andrew,

Thanks for the pointers. I changed the config but have still been enable to get "user locked" error messages. Thanks for your input.

Cheers, ian
Lets do it to them before they do it to us! www.fred.net.nz
0 Kudos
Reply
Andrew Cowan
Honored Contributor

тАО02-17-2004 12:09 AM

тАО02-17-2004 12:09 AM

Re: Account Locked message from PAM

Hi Ian,

Sorry for the delay, however I have found the following web pages that maybe of use:
http://archives.neohapsis.com/archives/pam-list/2000-12/0079.html
http://publib.boulder.ibm.com/tividd/td/ITAMOS/SC23-4828-00/en_US/HTML/PROBmst30.htm

The crux seems to be:
For example, to turn on all tracing for the auth module for the login application on HP-UX, edit the file /etc/lpm.conf and change from

login auth required /usr/lib/security/libpam_pdos.1

to

login auth required /usr/lib/security/libpam_pdos.1 0xffffffff

Edit the /etc/syslog.conf file and specify the location where the syslog daemon should write debug messages.
For example, to write trace output to the file /var/pdos/lpm.dbg, add the following line to /etc/syslog.conf:

*.debug /var/pdos/lpm.dbg


I hope this helps,
Andrew
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

тАО02-17-2004 01:19 AM

тАО02-17-2004 01:19 AM

Re: Account Locked message from PAM

Ian,

You can enable debug option in /etc/pam.conf and configure your syslog.conf to receive debug messages. For ex., following is the entry in /etc/pam.conf

login auth required /usr/lib/security/libpam_unix.1 debug

The entry in syslog.conf would be
*.debug /var/adm/syslog/syslog.log

or modify it to wherever you want the debug information to go.

Restart syslogd daemon. YOu should see messages like

Feb 17 09:18:09 monalisa login: pam_acct_mgmt: error Account is disabled - see Account Administrator

One caveat is that it won't show the account that got disabled. :-(

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.