Re: how to set password & Accout lockout policies

Sharfuddin · ‎03-06-2004

Hi to All
I want to set Account Lockout policies so please let me know how can I

1, lock the account, in case of three bad logins
2, restrict the user on a particular terminal, say a user 'user1' just logon on tty1, but cant logon on tty2.

I also want to set Password policies, how can I set
1, Password must be of six characters, and complex.
2, Maximum Password age(i.e. number of days when password must expires)
3, Minimum Password age (i.e. no user can change his/her password before this time)
4, Password History (i.e. keep password history, so that no prevoius three passwords can be set/implement)

please help me so that I can set Account and password policies, on my LinuxBox(RedHat).
Thanks in anticipation

Steven E. Protter · ‎03-06-2004

There is a gui linuxconf program in Red Hat that will allow you to set all these policies centrally for all or nay users.

You click the account name and change the policies.

All of this can also be done fromt he passwd command. man passwd and you can set any of these policies for any user.

Attaching the man page.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Alexander Chuzhoy · ‎03-06-2004

for minimum password length edit the file /etc/login.defs

to restrict the account to login from specific terminals you must use pam module.

the file to edit is /etc/security/access.conf

and you must add a line:
auth required pam_access.so

to a file called /etc/pam.d/login

Sharfuddin · ‎03-07-2004

Dear SEP unfortunately I dont have linuxconf installed on my system I m running RHL 8.0.
For various password policies I follow u(passwd command), and manage to lock/unlock user-accounts etc. Thanks, and so nice of u. And could u please let me know how u send the 'man passwd' page. I have no idea how to copy and or send(as attachement, as u did) the man pages.

Dear Alexender, u did the great job, I can handle now varios password policies, via editing /etc/login.defs. But unfortunately I cant manage to restrict the account to login from specific terminals. As per your instructions I did:

1, edit /etc/security/access.conf (at the bottom I add the following lines) as:

+:user1:tty1 tty2 #now 'user1' can login to tty1 and tty2.
-:user1:tty3 tty4 tty5 #now 'user1' cant login to tty3 tty4 tty5.

2, edit /etc/pam.d/login, so that I add the line
auth required /lib/security/pam_securetty.so

After comiting these two steps, even I tried to login to tty2 and tty1 as 'user1', but failed.

Then I try to login as root to tty2, failed. Infact what happens is that, no user can be login to any tty, even root too cant login to any tty. So I have to remove the line
'auth required /lib/security/pam_securetty.so' from /etc/pam.d/login.
So please help, and let me now, what I did wrong??

One thing left to ask, what I have to do if I want to implement the Account policy as follow:
If a user tries to login on any terminal, and provide wrong password three times, his/her account would be locked automatically for 30 min. so that he/she has to wait for 30 min, or ask root to unlock his/her account.

Alexander Chuzhoy · ‎03-07-2004

the line you were suppose to edd to the file
/etc/pam.d/login
is
auth required pam_access.so
and not
auth required /lib/security/pam_securetty.so

then it will work

Which reminds me -let us know if it will...

Mobeen_1 · ‎03-07-2004

I'm not sure if you have the GUI to carry out these tasks. Any way, you can do most if not all of the tasks listed using the passwd command. Just look into help/man on passwd

As for as restricting access and other stuff goes, our colleagues have already posted in prior posts as to how to go about doing it.

regards
Mobeen

Sharfuddin · ‎03-08-2004

Alexender I m still failed to acheive the target.

I add the following line in /etc/pam.d/login

auth required pam_access.so

Now after adding the above line, no one can login to any tty, even root cant login to any tty.

I add the following line to /etc/security/access.conf
+:user1:tty1 tty2
-:user1:tty3 tty4 tty5

Here is output of my /etc/pam.d/login

#%PAM-1.0
auth required pam_access.so # I also tried it as /lib/security/pam_access.so
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so

Here is the output of /etc/security/access.conf

# Login access control table.

#

# When someone logs in, the table is scanned for the first entry that
# matches the (user, host) # combination, or, in case of non-networked logins, the first entry that matches the (user, tty) # combination. The permissions field of that table entry determines whether the login will be # # accepted or refused.
#

# Format of the login access control table is three fields separated by a ":" character: # permission : users : origins
# The first field should be a "+" (access granted) or "-" (access denied) character.

# The second field should be a list of one or more login names, group
# names, or ALL (always # matches). A pattern of the form user@host is matched when the login name matches the "user" # part, and when the "host" part matches the local machine name. The third field should be a list # of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host addresses, internet network numbers (end with "."), ALL (always matches) or LOCAL # (matches any string that does not contain a "." character). If you run NIS you can use # @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. # Weird.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group # file is searched only when a name does not match that of the
# logged-in user. Both the user's # primary group is matched, as well as
# groups in which users are explicitly listed.
#
##############################################################################

#
# Disallow console logins to all but a few accounts.-:ALL EXCEPT wheel shutdown sync:LOCAL
#
# # Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL # .win.tue.nl
#
# Some accounts are not allowed to login from anywhere:

# -:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL

#

# All other accounts are allowed to login from anywhere.

#
+:user1:tty1 tty2
-:user1:tty3 tty4 tty5

Alexander Chuzhoy · ‎03-08-2004

I'm sorry for leadin you wrong-I have a newer version of redhat so ...
Just checked on redhat 8 so the mistake was to include auth required line

what you must do is to add
account required /lib/security/pam_access.so

then it'll work---see the example file below.
In newer version of redhat they removed the path to *.so file so I advised you wrong-sorry again , but now it'll work.

auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_access.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so

Sharfuddin · ‎03-08-2004

Thaanks a million Alexander, I acheive the target, by following u.
Infact what i was doing wrong is that instead of 'account' i was writting 'auth' in /etc/pam.d/login

auth required pam_access.so

instead of

account required pam_access.so

And also I tried it just I wrote above, i.e just 'pam_access.so' and not *.pam_access.so, and it works, i.e absoulote path is not required, even in RHL 8.0.

One thing remains, what I have to do if I want to implement the Account policy as follow:
If a user tries to login on any terminal, and provide wrong password three times, his/her account would be locked automatically for 30 min. so that he/she has to wait for 30 min, or ask root to unlock his/her account

pls help

Alexander Chuzhoy · ‎03-08-2004

Add those line in proper places (I mean auth with auth and account with account) to a file
called /etc/pam.d/system-auth

auth required /lib/security/pam_tally.so onerr=fail no_magic_root

account required /lib/security/pam_tally.so deny=2 no_magic_root reset

The command:
faillog -u username -r

will unlock the user...

if you run authconfig command after editing this file -it'll reset it to defaults - so avoid from running it....

Alexander Chuzhoy · ‎03-08-2004

forgot to mention
deny=2 means to lock the account after 2 attempts.
Adjust it to your needs...
Best Regards...

Sharfuddin · ‎03-08-2004

I acheive my target 100%. THANKYOU, THE GREAT ALEXANDER, for ur continous feedbacks.
would u please define what is 'no_magic_root', 'onerr=fail' and 'no_magic_root reset'
And please let me know, if user's account locked, and if user descide to wait rather ask root to unlock his/her account, then how long user has to wait, i.e how long(time) account remains locked

Alexander Chuzhoy · ‎03-08-2004

Hey Sharfuddin.Nice to "hear" such worm words ....Here it goes...

SUMMARY:
pam_tally:
Maintains a count of attempted accesses, can reset count on success,
can deny access if too many attempts fail.
Options:
* onerr=[succeed|fail] (if something weird happens
such as unable to open the file, what to do?)
* file=/where/to/keep/counts (default /var/log/faillog)

(auth)
* no_magic_root (root DOES increment counter. Use for
daemon-based stuff, like telnet/rsh/login)

(account)
* deny=n (deny access if tally for this user exceeds n;
The presence of deny=n changes the default for
reset/no_reset to reset, unless the user trying to
gain access is root and the no_magic_root option
has NOT been specified.)

* no_magic_root (access attempts by root DON'T ignore deny.
Use this for daemon-based stuff, like telnet/rsh/login)
* even_deny_root_account (Root can become unavailable. BEWARE.
Note that magic root trying to gain root bypasses this,
but normal users can be locked out.)

* reset (reset count to 0 on successful entry, even for
magic root)
* no_reset (don't reset count on successful entry)
This is the default unless deny exists and the
user attempting access is NOT magic root.

Also checks to make sure that the list file is a plain
file and not world writable.

eg:

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: how to set password & Accout lockout policies

how to set password & Accout lockout policies