How to lock out a user after a set number of login attempts?
[25 byte] By [Sajankp] at [2008-2-26] 
The PAM (Pluggable Authentication Module) module pam_tally keeps track of unsuccessful login attempts then disables user accounts when a preset limit is reached. This is often referred to as account lockout.
To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root resetThe options used above are described below:
- onerr=fail
If something strange happens, such as unable to open the file, this determines how the module should react. - no_magic_root
This is used to indicate that if the module is invoked by a user with uid=0, then the counter is incremented. The sys-admin should use this for daemon-launched services, like telnet/rsh/login. - deny=3The deny=3 option is used to deny access if tally for this user exceeds 3.
- reset
The reset option instructs the module to reset count to 0 on successful entry.
See below for a complete example of implementing this type of policy:
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so
onerr=fail no_magic_root auth sufficient
/lib/security/$ISA/pam_unix.so likeauth nullok auth required
/lib/security/$ISA/pam_deny.so account required
/lib/security/$ISA/pam_unix.so account required
/lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
password requisite
/lib/security/$ISA/$ISA/pam_cracklib.so retry=3 password sufficient
/lib/security/$ISA/$ISA/pam_unix.so nullok use_authtok md5 shadow password required
/lib/security/$ISA/$ISA/pam_deny.so session required
/lib/security/$ISA/$ISA/pam_limits.so session required
/lib/security/$ISA/$ISA/pam_unix.soFor more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-<version>
For information on how to unlock a user that has expired their deny tally see additional Knowledgebase articles regarding unlocking a user account and seeing failed logins with the faillog command.
JayVora at 2007-9-5 >
Windows Networking Development Hot Topic
Windows Networking Development New Topic
- broadcast with unbound adapter
- Getting the local address and mask of attached adapters
- How can I get Recv-Q/Send-Q of socket?
- Vista - recv / WSAGetLastError never return WSAECONNRESET
- socket applications and power management
- configuring ethernet bridge coded... need help asap...
- QOS works incorrect on Windows 2000 SP4
- EAP Invalid Pin
Windows Networking Development
Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech
Site Classified
- SQL Server
- Windows Forms
- .NET Development
- Visual Basic
- Visual Studio
- Visual Studio Team System
- Visual Studio Orcas
- Visual Studio Express Editions
- Software Development for Windows Vista
- Visual C#
- Visual C++
- Smart Device Development
- SharePoint Products and Technologies
- Feedback for forums and MSDN websites
- Game Technologies: DirectX, XNA, XACT, etc.
- Visual Studio Tools for Office
- Windows Live Developer Forums
- Microsoft ISV Community Center Forums
- Internet Explorer Development
- Visual FoxPro
- Windows Search Technologies
- Audio and Video Development
- Architecture
- Commerce Server
- Gadgets
- Microsoft Robotics Studio
- Community Chat
- BizTalk Server
- Visual J#
- Windows Networking Development
- Silverlight (formerly WPF/E)
- Popfly
- SQL Server Katmai
- Connected Services Framework
- Office Live Development
- Customer Care Framework
- Incubation Technologies
- Software Engineering Discussion
- System Center
- Software Licensing and Protection Services
- Visual Studio Rosario
- Small Business Application Development
- Office
- Windows Server 2008
- JScript
- Storage Platform – Core
- Misc