Hello,
On Mon, Jul 24, 2006 at 10:35:44PM +0200, Michelle Konzack wrote:
>
> I was using "faillog" since many years because I need fo a security
> policy to block users after 5 false logins. I have never checked it,
> because it WAS working in Potato and Woody from scratch...
>
> Now I had a problem with hack attemts and encountered that the file
> /var/log/faillog is missing...
I don't think Sarge's login supports faillog (even if there is a
FAILLOG_ENAB variable in /etc/login.defs). This was reintroduced in
Etch.
> After reading the documentation from "shadow" I have found nothing.
> After several hours of search I have found the pam-module "tally"
> which is responsable for writing the file /var/log/faillog.
>
> OK, I have edited the /etc/pam.d/login to use pam_tally.so:
>
> auth required pam_tally.so onerr=fail;deny=10;per_user;no_lock_time
As an auth module, only onerr=fail is supported.
no_magic_root is also necessary. Otherwise, the counter is not modified
when the service is called by root (which is the case of login).
pam_tally.so must also be used as an account module:
account required pam_tally.so deny=10 reset no_magic_root
I think pam_tally should be used as the first auth module and as the last
account module.
> with variation of
> auth required pam_tally.so onerr=fail; deny=10; per_user; no_lock_time
> and
> auth required pam_tally.so onerr=fail deny=10 per_user no_lock_time
The 3 variations should be equivalent.
> and the used
>
> faillog -a m 5
It should be:
faillog -a -m 5
(it must be a typo since your max failures is set to 5 in the log below)
> faillog -u root -m 0
>
> which should work. But after some tries I have encountered that the
> fail_count is not increased. it stays every time by 0 (zero)
Last time I tried (1 year ago, i.e. libpam-modules 0.76-23), pam_tally
worked.
Note that when a user logs in, the "x failures since last login." message
will always indicate 0 failures.
> Here the output:
>
> ----8<--------------------------------------------------------------
>
> [EMAIL PROTECTED]:~ > faillog -a
> Username Failures Maximum Latest
> root 0 0 Mon Jul 24 20:42:33 +0200 2006 on
> michelle.konzack 0 5 Mon Jul 24 20:42:58 +0200 2006 on
> noor.nurani 0 5 Mon Jul 24 20:44:52 +0200 2006 on
> zelie.domeracki 0 5 Mon Jul 24 20:30:12 +0200 2006 on
> [EMAIL PROTECTED]:~ > ls -Al /var/log/faillog
> -rw------- 1 root adm 1572840 Jul 24 20:44 /var/log/faillog
>
> ----8<--------------------------------------------------------------
>
> So whats wrong with the module?
>
> The fail_file is updated at each failure.
>
> Is this a Bug?
>
> Or if this is a config error by me, what about puting this line
> commented out with a short description per default in the
> /etc/pam.d/login which would be easier to use?
It conflicts with FAILLOG_ENAB.
The conflict could be indicated and the examples could be added, but maybe
this example could be better suited in the common-auth and common-account
files.
If it works, can you confirm and/or close this bug?
Kind Regards,
--
Nekral
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
