pam_tally2 causing unwanted lockouts with SCOM or Nervecenter
Posted
by
Chris
on Server Fault
See other posts from Server Fault
or by Chris
Published on 2014-05-30T06:50:47Z
Indexed on
2014/05/30
9:30 UTC
Read the original article
Hit count: 262
We use pam_tally2 in our system-auth config file which works fine for users. With services such as SCOM or Nervecenter it causes lockouts.
Same behavior on RHEL5 and RHEL6
This is /etc/pam.d/nervecenter
#%PAM-1.0
# Sample NerveCenter/RHEL6 PAM configuration
# This PAM registration file avoids use of the deprecated pam_stack.so module.
auth include system-auth
account required pam_nologin.so
account include system-auth
and this is /etc/pam.d/system-auth
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
account sufficient pam_centrifydc.so
account requisite pam_centrifydc.so deny
session required pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
auth required pam_tally2.so deny=6 onerr=fail
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minclass=3 minlen=8 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=1
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=8
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
The login does work but it also triggers the pam_tally counter up until it hits 6 "false" logins.
Is there any pam-ninjas around that could spot the issue?
Thanks.
© Server Fault or respective owner