Linux Account Lockout Policy

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
Matthew_Wai
Level 4
Level 4
Posts: 346
Joined: Sun Jun 07, 2015 10:42 am
Location: China

Linux Account Lockout Policy

Post by Matthew_Wai » Sun Jul 14, 2019 7:56 am

auth required pam_tally2.so deny=1 unlock_time=10
I have added the above line into /etc/pam.d/common-auth. However, my account will not be locked after
incorrect passwords has been entered three times. Nothing happens at all. How can I have it locked?

Code: Select all

matthew@pc:~$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
auth required pam_tally2.so deny=1 unlock_time=10
# here are the per-package modules (the "Primary" block)
auth	[success=1 default=ignore]	pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so 
# end of pam-auth-update config

matthew@pc:~$ sudo nano /etc/pam.d/common-auth
[sudo] password for matthew: 
Sorry, try again.
[sudo] password for matthew: 
Sorry, try again.
[sudo] password for matthew: 
sudo: 3 incorrect password attempts
matthew@pc:~$ 
I replaced Windows 10 with Mint on January 1, 2019. I am now using Mint 19 Cinnamon (64-bit).

Matthew_Wai
Level 4
Level 4
Posts: 346
Joined: Sun Jun 07, 2015 10:42 am
Location: China

Re: Linux Account Lockout Policy

Post by Matthew_Wai » Sun Jul 14, 2019 10:16 am

I just found that the file /lib/security/pam_tally2.so does not exist.
What should I do?
I replaced Windows 10 with Mint on January 1, 2019. I am now using Mint 19 Cinnamon (64-bit).

User avatar
smurphos
Level 11
Level 11
Posts: 3732
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Linux Account Lockout Policy

Post by smurphos » Sun Jul 14, 2019 10:28 am

Matthew_Wai wrote:
Sun Jul 14, 2019 10:16 am
I just found that the file /lib/security/pam_tally2.so does not exist.
What should I do?
Look in /lib/x86_64-linux-gnu/security

I don't think this can lock you out of using sudo - what it should be able to do is lock you out of logging in if you use incorrect passwords on the login screen, lock screen, console, via ssh etc....
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

Matthew_Wai
Level 4
Level 4
Posts: 346
Joined: Sun Jun 07, 2015 10:42 am
Location: China

Re: Linux Account Lockout Policy

Post by Matthew_Wai » Sun Jul 14, 2019 10:32 am

Code: Select all

matthew@pc:~$ ls /lib/x86_64-linux-gnu/security
pam_access.so      pam_gnome_keyring.so  pam_namespace.so   pam_systemd.so
pam_cap.so         pam_group.so          pam_nologin.so     pam_tally2.so
pam_cifscreds.so   pam_issue.so          pam_permit.so      pam_tally.so
pam_debug.so       pam_keyinit.so        pam_pwhistory.so   pam_time.so
pam_deny.so        pam_lastlog.so        pam_rhosts.so      pam_timestamp.so
pam_echo.so        pam_limits.so         pam_rootok.so      pam_tty_audit.so
pam_env.so         pam_listfile.so       pam_securetty.so   pam_umask.so
pam_exec.so        pam_localuser.so      pam_selinux.so     pam_unix.so
pam_extrausers.so  pam_loginuid.so       pam_sepermit.so    pam_userdb.so
pam_faildelay.so   pam_mail.so           pam_shells.so      pam_warn.so
pam_filter.so      pam_mkhomedir.so      pam_stress.so      pam_wheel.so
pam_ftp.so         pam_motd.so           pam_succeed_if.so  pam_xauth.so
pam_tally.so and pam_tally2.so are there. What should I do?
I replaced Windows 10 with Mint on January 1, 2019. I am now using Mint 19 Cinnamon (64-bit).

gm10
Level 17
Level 17
Posts: 7469
Joined: Thu Jun 21, 2018 5:11 pm

Re: Linux Account Lockout Policy

Post by gm10 » Sun Jul 14, 2019 11:00 am

smurphos wrote:
Sun Jul 14, 2019 10:28 am
I don't think this can lock you out of using sudo
It will if he adds this in addition to the line he's already got:

Code: Select all

account required                        pam_tally2.so
Note that the sudoers passwd_tries setting controls the number of authentication attempts you get no matter what, but the tally module's own counter is used to determine whether to make the login successful (unless you disabled PAM usage for sudoers, of course - it is enabled by default). The sudo prompt will not communicate this to you.
Last edited by gm10 on Sun Jul 14, 2019 11:08 am, edited 1 time in total.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
smurphos
Level 11
Level 11
Posts: 3732
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Linux Account Lockout Policy

Post by smurphos » Sun Jul 14, 2019 11:05 am

Check your set-up - this guide looks OK - https://www.adamcouch.co.uk/linux-accou ... tu-server/

Then test by logging out and then using incorrect passwords on the login screen.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

Matthew_Wai
Level 4
Level 4
Posts: 346
Joined: Sun Jun 07, 2015 10:42 am
Location: China

Re: Linux Account Lockout Policy

Post by Matthew_Wai » Sun Jul 14, 2019 11:15 am

gm10 wrote:
Sun Jul 14, 2019 11:00 am
It will if he adds this in addition to the line he's already got:

Code: Select all

account required                        pam_tally2.so
Do you mean the following two lines should be added into /etc/pam.d/common-auth?

Code: Select all

account required                        pam_tally2.so
auth required pam_tally2.so deny=1 unlock_time=10
I replaced Windows 10 with Mint on January 1, 2019. I am now using Mint 19 Cinnamon (64-bit).

gm10
Level 17
Level 17
Posts: 7469
Joined: Thu Jun 21, 2018 5:11 pm

Re: Linux Account Lockout Policy

Post by gm10 » Sun Jul 14, 2019 11:17 am

Yes, like that, at the location that you already placed the one line at (at the beginning of the file).
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

Matthew_Wai
Level 4
Level 4
Posts: 346
Joined: Sun Jun 07, 2015 10:42 am
Location: China

Re: Linux Account Lockout Policy

Post by Matthew_Wai » Mon Jul 15, 2019 1:42 am

Your suggestion does not work. Nothing has happened. See below.

Code: Select all

matthew@pc:~$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
account required                        pam_tally2.so
auth required pam_tally2.so deny=1 unlock_time=10
# here are the per-package modules (the "Primary" block)
auth	[success=1 default=ignore]	pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so 
# end of pam-auth-update config

matthew@pc:~$ sudo nano /etc/pam.d/common-auth
[sudo] password for matthew: 
Sorry, try again.
[sudo] password for matthew: 
Sorry, try again.
[sudo] password for matthew: 
sudo: 3 incorrect password attempts
matthew@pc:~$ 
I replaced Windows 10 with Mint on January 1, 2019. I am now using Mint 19 Cinnamon (64-bit).

User avatar
smurphos
Level 11
Level 11
Posts: 3732
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: Linux Account Lockout Policy

Post by smurphos » Mon Jul 15, 2019 2:05 am

Matthew_Wai wrote:
Mon Jul 15, 2019 1:42 am
Your suggestion does not work. Nothing has happened. See below.
My emphasis on gm10's post
gm10 wrote:
Sun Jul 14, 2019 11:00 am
Note that the sudoers passwd_tries setting controls the number of authentication attempts you get no matter what, but the tally module's own counter is used to determine whether to make the login successful (unless you disabled PAM usage for sudoers, of course - it is enabled by default). The sudo prompt will not communicate this to you.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

Matthew_Wai
Level 4
Level 4
Posts: 346
Joined: Sun Jun 07, 2015 10:42 am
Location: China

Re: Linux Account Lockout Policy

Post by Matthew_Wai » Mon Jul 15, 2019 3:20 am

My account was locked after I tried to log in with a wrong password.
Does the lockout policy only apply to logging in?
I replaced Windows 10 with Mint on January 1, 2019. I am now using Mint 19 Cinnamon (64-bit).

Post Reply

Return to “Software & Applications”