Join Log in
Score:0
Brandon Kauffman avatar Server

Account locking without bad password pamd ssh

in flag
Brandon Kauffman

Here is my password-auth file:

auth        required       pam_faillock.so preauth silent deny=5 unlock_time=900
auth        required       pam_faillock.so authfail deny=5 unlock_time=900
auth        include        password-auth-ac

account     include        password-auth-ac

password    include        password-auth-ac

session     required       pam_tty_audit.so disable=* enable=root
session     optional       pam_umask.so
session     include        password-auth-ac

Here is my system-auth file:

auth        required       pam_faillock.so preauth silent deny=5 unlock_time=900
auth        required       pam_faillock.so authfail deny=5 unlock_time=900
auth        include        system-auth-ac

account     include        system-auth-ac

password    sufficient     pam_unix.so remember=5
password    include        system-auth-ac

session     required       pam_tty_audit.so disable=* enable=root
session     optional       pam_umask.so
session     include        system-auth-ac

I also have a user logging with a password that locks after 5 successful logins. All logs indicate the previous logins worked, but the 5th attempt locks the account.

I have no idea where to start looking for answers.

UPDATE:

using failock --user ftpweb I have been able to identify when this error occurs. Using my default ssh options, it tallies a failed login before I enter the password. Using -o PreferredAuthentications=password -o PubkeyAuthentication=no It occurs after the entering the password successfully.

34
0 + 0
ssh
pam
us flag
cutrightjm
Can you post the full content of this file?
0
Reply
Brandon Kauffman avatar
in flag
Brandon Kauffman
@cutrightjm I have updated my post to include the file, filename and the system-auth file.
0
Reply
us flag
cutrightjm
Disclaimer: I am bad at PAM files. However, try adding `auth sufficient pam_unix.so try_first_pass ` after your second `pam_faillock.so` line. Is there any particular reason the PAM files have been modified?
0
Reply
Brandon Kauffman avatar
in flag
Brandon Kauffman
I can't speak on this with certainty. I believe it's just my company's policy. I'm inheriting this problem from another team that owns the server. I'm trying to dig deeper to verify that their pam config is causing the problem and not the product with the locking service account
0
Reply
us flag
cutrightjm
Did you ever reach a resolution to this?
0
Reply
Brandon Kauffman avatar
in flag
Brandon Kauffman
The system admin remove pam faillock until someone else could look at it. I never heard what happened next. I had gone to bootcamp for 6 months
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.