RHEL8中配置账户密码锁定策略
环境沪江英语网
Red Hat Enterpri Linux 6erg
stingingRed Hat Enterpri Linux 7
Red Hat Enterpri Linux 8
PAM
pam_faillock.so
问题
What is pam_faillock ? How to implement account lockout policy using pam_faillock.so ?
pam_tally is deprecated in RHEL6, what can I configure instead of pam_tally ?
mona lisa smileHow do I ret/view failure attempts of ur for pam_faillock ?
How can I u pam_faillock to disable a particular ur(s) from getting locked out after multiple unsuccessful login attempts?
Since faillog command (pam_tally) is not available in RHEL 6, how do I u pam_faillock instead ?
pam_tally counter ret does not work correctly
What can I u instead of pam_tally2 since it is unavailable in RHEL 8?
决议
The pam_faillock module performs a function similar to pam_tally and pam_tally2 but with more options and flexibility. The following are some examples of how to include pam_faillock in /etc/pam.d/system-auth and /etc/pam.d/password-auth (changes should be made in both files to be effective):
To lock out urs after three unsuccessful attempts and unlock the ur account after 10 minutes (600 conds):
auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 # Inrt this line
造访的意思
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 # Inrt this line
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_faillock.so # Inrt this line
人大附中朝阳学校account required pam_unix.so
account sufficient pam_localur.so
2012韦博英语价格表account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.sohuxley
To lock out the root ur, auth required pam_faillock.so should be added:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600求职意向英文
To disable a ur from locking out even after multiple failed logins add the below line just above the pam_faillock in and replace ur1, ur2, etc with the actual urnames:
auth [success=1 default=ignore] pam_succeed_if.so ur in ur1:ur2:ur3
For more information of parameters in pam_faillock.so plea u man pam_faillock to view the man page for pam_faillock.
Alternatively: Configure with authconfig
authconfig-6.2.8-19 and above supports pam_faillock.
To enable faillock:
# authconfig --enablefaillock --faillockargs="deny=5 unlock_timeout=1200" --update
To enable faillock:
# authconfig --disablefaillock --update
Using the faillock command
To ret/view authentication failure records u commands like the following:
To display authentication failure records for urname:
# faillock --ur urname
To ret authentication failure records for urname:
# faillock --ur urname --ret
SSHD configuration adjustment
If pam_faillock.so is not working as expected, the following changes may have to be made to SSHD's configuration:
# vi /etc/ssh/sshd_config
ChallengeResponAuthentication yes
PasswordAuthentication no
Then restart the sshd rvice in order for the configuration changes to take effect:
# systemctl restart sshdcd5
Additional Notes
The quence of the lines in the files (/etc/pam.d/system-auth and /etc/pam.d/password-auth) are important and any change in quence may result in the locking all ur accounts including root ur when you are using even_deny_root option.
The pam_faillock module supports temporary locking of ur accounts in the event of multiple failed authentication attempts. This new module improves functionality over the existing pam_tally2 module, as it also allows temporary locking when the authentication attempts are done over a screensaver.
The pam_faillock module now also support persistent locking via errata relea .
Additional information:
In RHEL8, we do not recommend you make modifications directly in PAM global files system-auth and password-auth available under /etc/pam.d/` directory.
To configure pam_faillock to lock ONLY local ur accounts and skip network accounts such as IPA/AD/LDAP from being locked modify PAM files as mentioned in this article:
