Pam_tally2 After Unlock Time

Home » CentOS » Pam_tally2 After Unlock Time
CentOS No Comments

Hi All,

I prepared a CentOS 6.8 Minimal server, as part of hardening i added PAM
rules under system-auth and password-auth to lock the user account for 30
minutes after 3 failed login attempts.

############system-auth###############
auth required pam_tally2.so deny=3 unlock_time00
auth required pam_env.so auth sufficient pam_unix.so auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so

account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 typepassword sufficient pam_unix.so sha512 shadow nullok use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ###################password-auth######### auth required pam_tally2.so deny=3 unlock_time00 auth required pam_env.so auth sufficient pam_unix.so auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so

account required pam_unix.so account required pam_tally2.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 typepassword sufficient pam_unix.so sha512 shadow nullok use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so ################################################################# Now, *after 3 failed attempts user locked successfully but after 30mins when i tried with wrong password for first attempt it again got locked. It should wait for 3 more attempts after unlock, but got locked after first time,* after unlock. Anyway to correct the logic.

LEAVE A COMMENT