Hi,<br><br>I am having issues with configuring account lockouts on 3
attempts using faillog and pam_tally, but I am not sure whether there
is a parameter ( a.k.a I didnt RTFM) which has to be added in the
configuration for it to work. I have read through man on AV Pairs,
which I thought could solve the problem, but it didn't seem to help:
<br><br>My tac_plus file in /etc/pam.d/:<br><br>#%PAM-1.0<br>auth required pam_tally.so per_user onerr=fail deny=3<br>auth required pam_env.so<br>auth required pam_unix.so likeauth nullok
<span class="q"><br>account required pam_stack.so service=system-auth<br>password required pam_stack.so service=system-auth<br>session required pam_limits.so<br><br></span>And my tac_plus.cfg<br><br>
group = admin {<br> login = PAM
<br>}<br><br>user = netadm {<span class="q"><br>default service = permit<br>member = admin<br>}<br><br></span>The
problem that I have encountered, be it a successful or a failed login
attempt, pam_tally counts it as a failure, but the lockout feature
works fine when it reads that faillog has more than 3 "failed" attempts
for user netadm albeit those 3 attempts were successful logins.
<br><br>My /var/log/secure:<br><br>Dec 4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user netadm (500) tally 4, deny 3<br>Dec
4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=netadm
<br><br>I have figured that I have probably configured pam_tally to
necessarily do failed login counting and lockout feature, greatly
appreciate your help thus far but I am sorry I have to approach for
your assistance once again.
<br><br>PS: Sorry if you received 2 copies of this mail. It was a re-send<br><br>Cheers,<br><span class="sg">Lim Seng</span><br><br><div><span class="gmail_quote">On 12/1/06, <b class="gmail_sendername">Lim Seng</b> <
<a href="mailto:limseng@gmail.com">limseng@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks, that worked too, but the logs are complaining a lot about deprecated pam_stack calls. I firgured that just a simple line,
<br><br>#%PAM-1.0<br>auth include system-auth<br><br>allows PAM to work just fine with tac_plus. It doesn't lockout userids after 3 failed attempts though I have configured system-auth to do so, guess I'll look that up in PAM. However, thanks for the help though =)
<br><br>Cheers,<br><span class="sg">Lim Seng</span><div><span class="e" id="q_10f3bad13d70ecf5_2"><br><br><div><span class="gmail_quote">On 11/30/06, <b class="gmail_sendername">john heasley</b> <<a href="mailto:heas@shrubbery.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
heas@shrubbery.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Thu, Nov 30, 2006 at 03:15:05PM +0800, Lim Seng:<br>> Hi,<br>><br>> I have edited the configuration to the following:<br>><br>> group = admin {<br>> login = PAM<br>> }<br>><br>> user = testuser1 {
<br>> default service = permit<br>> member = admin<br>><br>> }<br>><br>> When I type in the username, immediately I get "% Authentication Failure",<br>> wihtout it even prompting me for a password, is there a certain mandatory
<br>> parameter that should have been inside? I manned through tac_plus.conf.5,<br>> and it looks like simply this configuration will just work.<br>><br>> Appreciate any advice once again, thanks a lot<br><br>
Did you configure PAM itself? This is what I used to test:<br><br>linucks [2] cat /etc/pam.d/tac_plus<br>#%PAM-1.0<br>auth required pam_stack.so service=system-auth<br>account required pam_stack.so service=system-auth
<br>password required pam_stack.so service=system-auth<br>session required pam_limits.so<br><br><br>> Cheers,<br>> Lim Seng<br>><br>><br>> On 11/25/06, <a href="mailto:tac_plus@shrubbery.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
tac_plus@shrubbery.net
</a> <<a href="mailto:tac_plus@shrubbery.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tac_plus@shrubbery.net</a>> wrote:<br>> ><br>> >Fri, Nov 24, 2006 at 04:22:33PM +0800, Lim Seng:
<br>> >> Dear Sir,<br>> >><br>> >> I have found RANCID to be a very interesting and useful software, and I
<br>> >am<br>> >> currently using it to backup my network devices. Due to my positive<br>> >> experience with RANCID, I decided to try out tac_plus by Shrubbery too,<br>> >> seeing that your version comes with PAM authentication support as well.
<br>> >I am<br>> >> glad to say everything works fine, but I'll like advice on the<br>> >particular<br>> >> issue between tac_plus and PAM if possible.<br>> >><br>> >> I am currently using:
<br>> >><br>> >> Fedora Core 6<br>> >> uname -r : 2.6.18-1.2849.fc6<br>> >><br>> >> I have compiled and installed tacacs+-F4.0.4.13, authenticating<br>> >primarily<br>> >> from /etc/passwd. What I'll like to achieve is to set a system wide
<br>> >login<br>> >> attempts of 3, and lockout any user account except root in PAM. My<br>> >system<br>> >> already has that policy set, but I'll like to apply this policy to<br>> >tacacs as
<br>> >> well. I have tried to set the authentication method to pam but it<br>> >doesn't<br>> >> work, please see my config:<br>> >><br>> >> ---------------------------------Start of
<br>> >> Config-------------------------------------------<br>> >> key = examplekey<br>> >><br>> >> # Use /etc/passwd file to do authentication<br>> >><br>> >> default authentication = file /etc/passwd
<br>> >><br>> >> # Now tacacs+ also use default PAM authentication<br>> >> #default authentication = pam system-auth ####Tried to set to PAM<br>> >> authentication method but no go here.
<br>> >><br>> >> # Accounting records log file<br>> >><br>> >> accounting file = /var/log/tac_acc.log<br>> >><br>> >> #All services are alowed..<br>> >><br>> >> user = $enable$ {
<br>> >> login = cleartext "iamenabled"<br>> >> }<br>> >><br>> >> group = admin {<br>> >> service = exec {<br>> >> default attribute = permit<br>> >> priv-lvl = 1
<br>> >> }<br>> >> }<br>> >><br>> >> user = tester1 {<br>> >> name = "tester1"<br>> >> member = testadmin<br>> >> }<br>> >><br>> >> ---------------------------------End of
<br>> >> Config-------------------------------------------<br>> >><br>> >> I have read through the INSTALL/users guide/FAQ file and tac_plus.h in<br>> >the<br>> >> source code for further clues but I still can't get it right. I did not
<br>> >> input any special configuration prefixes during compilation phase:<br>> ><br>> >In order for tac_plus to query/use PAM, you must configure those users or<br>> >groups to do so. See tac_plus.conf(5) top-level directive user and follow
<br>> >the relationship to user_attr, to login, then password_spec. eg:<br>> ><br>> >group = admin {<br>> > login = PAM<br>> >....<br>> ><br>> >> ./configure --prefix=/usr/local/tacplus
<br>> >><br>> >> If the information provided is not sufficient I'll be glad to provide<br>> >more,<br>> >> looking forward to your advice.<br>> >><br>> >> Cheers,<br>> >> Lim Seng
<br>> ><br></blockquote></div><br>
</span></div></blockquote></div><br>