How to exclude some accounts from being locked after multiple incorrect password


Tips and Tricks, How To, Linux

Can pam be configured in a way to exclude some accounts from being locked out when attempting to authenticate while allowing others an unlimited amount of attempts? Exclude some accounts from being locked out after gicing multiple incorrect password in RHEL or CentOS 7 Linux. Lock all the user accounts on failed password but exclude some accounts from being lockes after giving N number of incorrect password in Linux with examples. Exclude some accounts from being locked after N number of incorrect passwords.

How to exclude some accounts from being locked after multiple incorrect password

 

Exclude some accounts from being locked out after multiple incorrect password

In this article I will use pam_faillock to lock user accounts and also to exclude some accounts from being locked out after multiple incorrect password.

 

PAM files to be modified

Below files must be modified to implement your changes to exclude some accounts from being locked out

/etc/pam.d/password-auth
/etc/pam.d/system-auth

 

Syntax to be used to exclude user accounts from being locked out

Add below lines in both these files i.e. system-auth and password-auth

auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=1800
auth        [success=2 default=ignore]  pam_listfile.so item=user sense=allow file=/etc/pam-unlock.txt
auth        [default=die] pam_faillock.so authfail audit deny=3
auth        sufficient    pam_faillock.so authsucc audit deny=3

Here we will use /etc/pam-unlock.txt file to exclude some users from being locked out on multiple failed password. Create this file and add the list of users (one per line) for whom you wish to add exception. You can also use any other filename instead of /etc/pam-unlock.txt.

 

Sample configuration file

My sample system-auth and password-auth file

auth        required      pam_env.so
auth        required      pam_faillock.so preauth silent audit deny=3 unlock_time=1800
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        [success=2 default=ignore]  pam_listfile.so item=user sense=allow file=/etc/pam-unlock.txt
auth        [default=die] pam_faillock.so authfail audit deny=3
auth        sufficient    pam_faillock.so authsucc audit deny=3
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

 

Add list of users for exclusion

Next add list of users you wish to exclude from locking list to /etc/pam-unlock.txt

[root@rhel-7 ~]# cat /etc/pam-unlock.txt
deepak

 

Verify the changes

Now we are done with our changes. So I have two user rahul and deepak so we will validate our configuration.

 

For user "rahul"

I will try to login using rahul user on my Linux host. As you see after 4 failed attempts, my user is locked and even with correct password the user fails to login.

Aug 31 20:43:48 rhel-7.example unix_chkpwd[27470]: password check failed for user (rahul)
Aug 31 20:43:48 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd
Aug 31 20:43:49 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2
Aug 31 20:43:54 rhel-7.example unix_chkpwd[27471]: password check failed for user (rahul)
Aug 31 20:43:54 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd
Aug 31 20:43:56 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2
Aug 31 20:43:57 rhel-7.example unix_chkpwd[27472]: password check failed for user (rahul)
Aug 31 20:43:57 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd
Aug 31 20:43:59 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2
Aug 31 20:44:01 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd
Aug 31 20:44:04 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2
Aug 31 20:44:14 rhel-7.example unix_chkpwd[27474]: password check failed for user (rahul)
Aug 31 20:44:14 rhel-7.example sshd[27467]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2  user=rahul
Aug 31 20:44:14 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd
Aug 31 20:44:16 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2
Aug 31 20:44:16 rhel-7.example sshd[27467]: error: maximum authentication attempts exceeded for rahul from 10.0.2.2 port 52404 ssh2 [preauth]
Aug 31 20:44:16 rhel-7.example sshd[27467]: Disconnecting: Too many authentication failures [preauth]

 

For user "deepak"

Now let us verify the same configuration with deepak user.

login as: deepak
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Last failed login: Sat Aug 31 20:46:15 IST 2019 from 10.0.2.2 on ssh:notty
There were 5 failed login attempts since the last successful login.
Last login: Sat Aug 31 20:37:05 2019 from 10.0.2.2
[deepak@rhel-7 ~]$

As you see even after multiple password failures, the user deepak was still able to login to the node

 

From the logs also we see that user deepak was able to login after multiple login failures

Aug 31 20:46:02 rhel-7.example unix_chkpwd[27479]: password check failed for user (deepak)
Aug 31 20:46:02 rhel-7.example sshd[27476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2  user=deepak
Aug 31 20:46:04 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2
Aug 31 20:46:05 rhel-7.example unix_chkpwd[27480]: password check failed for user (deepak)
Aug 31 20:46:07 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2
Aug 31 20:46:07 rhel-7.example unix_chkpwd[27481]: password check failed for user (deepak)
Aug 31 20:46:09 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2
Aug 31 20:46:10 rhel-7.example unix_chkpwd[27482]: password check failed for user (deepak)
Aug 31 20:46:12 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2
Aug 31 20:46:13 rhel-7.example unix_chkpwd[27483]: password check failed for user (deepak)
Aug 31 20:46:15 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2
Aug 31 20:46:17 rhel-7.example sshd[27476]: Accepted password for deepak from 10.0.2.2 port 50224 ssh2
Aug 31 20:46:17 rhel-7.example systemd[1]: Created slice User Slice of deepak.
Aug 31 20:46:17 rhel-7.example systemd[1]: Started Session 65 of user deepak.
Aug 31 20:46:17 rhel-7.example systemd-logind[2924]: New session 65 of user deepak.
Aug 31 20:46:17 rhel-7.example sshd[27476]: pam_unix(sshd:session): session opened for user deepak by (uid=0)

 

Lastly I hope the steps from the article to to exclude some accounts from being locked out after multiple incorrect password in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to use pam to exclude some accounts from being locked out

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment