Can pam be configured in a way to exclude some accounts from being locked out when attempting to authenticate while allowing others an unlimited amount of attempts? Exclude some accounts from being locked out after gicing multiple incorrect password in RHEL or CentOS 7 Linux. Lock all the user accounts on failed password but exclude some accounts from being lockes after giving N number of incorrect password in Linux with examples. Exclude some accounts from being locked after N number of incorrect passwords.
Exclude some accounts from being locked out after multiple incorrect password
In this article I will use pam_faillock
to lock user accounts and also to exclude some accounts from being locked out after multiple incorrect password.
PAM files to be modified
Below files must be modified to implement your changes to exclude some accounts from being locked out
/etc/pam.d/password-auth /etc/pam.d/system-auth
Syntax to be used to exclude user accounts from being locked out
Add below lines in both these files i.e. system-auth
and password-auth
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=1800
auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/pam-unlock.txt
auth [default=die] pam_faillock.so authfail audit deny=3
auth sufficient pam_faillock.so authsucc audit deny=3
Here we will use /etc/pam-unlock.txt
file to exclude some users from being locked out on multiple failed password. Create this file and add the list of users (one per line) for whom you wish to add exception. You can also use any other filename instead of /etc/pam-unlock.txt
.
Sample configuration file
My sample system-auth
and password-auth
file
auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=1800 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth [success=2 default=ignore] pam_listfile.so item=user sense=allow file=/etc/pam-unlock.txt auth [default=die] pam_faillock.so authfail audit deny=3 auth sufficient pam_faillock.so authsucc audit deny=3 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
Add list of users for exclusion
Next add list of users you wish to exclude from locking list to /etc/pam-unlock.txt
[root@rhel-7 ~]# cat /etc/pam-unlock.txt deepak
Verify the changes
Now we are done with our changes. So I have two user rahul and deepak so we will validate our configuration.
For user "rahul"
I will try to login using rahul
user on my Linux host. As you see after 4 failed attempts, my user is locked and even with correct password the user fails to login.
Aug 31 20:43:48 rhel-7.example unix_chkpwd[27470]: password check failed for user (rahul) Aug 31 20:43:48 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:43:49 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:43:54 rhel-7.example unix_chkpwd[27471]: password check failed for user (rahul) Aug 31 20:43:54 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:43:56 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:43:57 rhel-7.example unix_chkpwd[27472]: password check failed for user (rahul) Aug 31 20:43:57 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:43:59 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:44:01 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:44:04 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:44:14 rhel-7.example unix_chkpwd[27474]: password check failed for user (rahul) Aug 31 20:44:14 rhel-7.example sshd[27467]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=rahul Aug 31 20:44:14 rhel-7.example sshd[27467]: pam_listfile(sshd:auth): Refused user rahul for service sshd Aug 31 20:44:16 rhel-7.example sshd[27467]: Failed password for rahul from 10.0.2.2 port 52404 ssh2 Aug 31 20:44:16 rhel-7.example sshd[27467]: error: maximum authentication attempts exceeded for rahul from 10.0.2.2 port 52404 ssh2 [preauth] Aug 31 20:44:16 rhel-7.example sshd[27467]: Disconnecting: Too many authentication failures [preauth]
For user "deepak"
Now let us verify the same configuration with deepak
user.
login as: deepak
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Access denied
deepak@127.0.0.1's password:
Last failed login: Sat Aug 31 20:46:15 IST 2019 from 10.0.2.2 on ssh:notty
There were 5 failed login attempts since the last successful login.
Last login: Sat Aug 31 20:37:05 2019 from 10.0.2.2
[deepak@rhel-7 ~]$
As you see even after multiple password failures, the user deepak
was still able to login to the node
From the logs also we see that user deepak was able to login after multiple login failures
Aug 31 20:46:02 rhel-7.example unix_chkpwd[27479]: password check failed for user (deepak) Aug 31 20:46:02 rhel-7.example sshd[27476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=deepak Aug 31 20:46:04 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:05 rhel-7.example unix_chkpwd[27480]: password check failed for user (deepak) Aug 31 20:46:07 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:07 rhel-7.example unix_chkpwd[27481]: password check failed for user (deepak) Aug 31 20:46:09 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:10 rhel-7.example unix_chkpwd[27482]: password check failed for user (deepak) Aug 31 20:46:12 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:13 rhel-7.example unix_chkpwd[27483]: password check failed for user (deepak) Aug 31 20:46:15 rhel-7.example sshd[27476]: Failed password for deepak from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:17 rhel-7.example sshd[27476]: Accepted password for deepak from 10.0.2.2 port 50224 ssh2 Aug 31 20:46:17 rhel-7.example systemd[1]: Created slice User Slice of deepak. Aug 31 20:46:17 rhel-7.example systemd[1]: Started Session 65 of user deepak. Aug 31 20:46:17 rhel-7.example systemd-logind[2924]: New session 65 of user deepak. Aug 31 20:46:17 rhel-7.example sshd[27476]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
Lastly I hope the steps from the article to to exclude some accounts from being locked out after multiple incorrect password in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
How to use pam to exclude some accounts from being locked out