Last active
February 1, 2018 03:47
-
-
Save jason-idk/63fde0b2c3d7f365446f67559993b7d7 to your computer and use it in GitHub Desktop.
Enabling pam_tally2 on CentOS/RHEL...
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Enabling pam_tally2 on RHEL/CentOS 6: | |
| It is important to understand that if you place the pam_tally2 entries in the same order in | |
| both /etc/pam.d/system-auth and /etc/pam.d/password-auth and use sudo, your account | |
| will be marked as a failed login from tally even if the password is correct. | |
| Please edit the following files accordingly: | |
| FILE ---> /etc/pam.d/system-auth: | |
| #%PAM-1.0 | |
| # This file is auto-generated. | |
| # User changes will be destroyed the next time authconfig is run. | |
| auth required pam_env.so | |
| auth sufficient pam_fprintd.so | |
| auth sufficient pam_unix.so nullok try_first_pass remember=4 | |
| auth required pam_tally2.so deny=6 unlock_time=1800 —— > After | |
| pam_unix.so (this prevents the tally from being counted on local auth) | |
| auth requisite pam_succeed_if.so uid >= 500 quiet | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account required pam_tally2.so | |
| account sufficient pam_succeed_if.so uid < 500 quiet | |
| account required pam_permit.so | |
| password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 | |
| password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |
| password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| FILE ---> /etc/pam.d/password-auth: | |
| #%PAM-1.0 | |
| # This file is auto-generated. | |
| # User changes will be destroyed the next time authconfig is run. | |
| auth required pam_env.so | |
| auth required pam_tally2.so deny=6 unlock_time=1800 —— > Before | |
| pam_unix.so (While connecting via ssh, check pam_tally2 for a locked account.) | |
| auth sufficient pam_unix.so nullok try_first_pass remember=4 | |
| auth requisite pam_succeed_if.so uid >= 500 quiet | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account required pam_tally2.so | |
| account sufficient pam_succeed_if.so uid < 500 quiet | |
| account required pam_permit.so | |
| password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 | |
| password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |
| password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| IMPORTANT: | |
| Password-auth is read in /etc/pam.d/sshd (or should be an include) and this is why we | |
| need the tally line read before local auth (system-auth). | |
| PCI Compliance Password and Account limitations: | |
| Some customers may ask you to setup their local account environment to be PCI | |
| compliant, here is a list of things to go through to get started... | |
| PASSWORD COMLPEXITY: | |
| **** Must use at least one occurrence of three of these four categories in the password: **** | |
| - uppercase alphabetic | |
| - lowercase alphabetic | |
| - numeric | |
| - special characters | |
| - minimum 8 characters | |
| In /etc/pam.d/system-auth we would modify the following: | |
| ---> 'pam_cracklib.so' line to include the following: | |
| password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 | |
| There are six character classes, minclass=3 says that at least 3 of these must be met when creating a passwd: | |
| - Upper-case characters | |
| - Lower-case characters | |
| - Digits | |
| - Special characters (for example, punctuation) | |
| - 8-bit characters (characters whose decimal code starts at 128 or below) | |
| - Number of repeated characters | |
| In addition to the above, we state that the password must be at least 8 characters in length. To change the default | |
| lifetime of all users password before they must renew, we would need to edit the following entry in the '/etc/login.defs' file... | |
| [root@server pam.d]# cat /etc/login.defs | grep -i 'pass_max' | |
| # PASS_MAX_DAYS Maximum number of days a password may be used. | |
| PASS_MAX_DAYS 99999 to 90 | |
| EXAMPLE: Customer wanted to enable account locking locally and through SSH as well | |
| as setup password aging and complexity requirements. | |
| *** Changes to be made: *** | |
| FILE: /etc/login.defs (editing the following values to change the warning period and password lifetime.) | |
| # PASS_WARN_AGE Number of days warning given before a password expires. | |
| PASS_WARN_AGE 14 | |
| # PASS_MAX_DAYS Maximum number of days a password may be used. | |
| PASS_MAX_DAYS 90 | |
| FILE: /etc/ssh/sshd_config (adding the following line to block ssh access from a specific user) | |
| # Restrict user from SSH access to system. | |
| DenyUsers user | |
| FILE: /etc/pam.d/system-auth | |
| 1. Adding the following pam_tally 'auth' line below pam_unix.so to block locked accounts from having system | |
| level authentication access until the time limit has passed. | |
| 2. Adding values to pam_cracklib.so to set the following values... minclass=3 (meet 3 classes of characters) | |
| minlen=8 (password length minimum of 8) | |
| #%PAM-1.0 | |
| # This file is auto-generated. | |
| # User changes will be destroyed the next time authconfig is run. | |
| auth required pam_env.so | |
| auth sufficient pam_fprintd.so | |
| auth sufficient pam_unix.so nullok try_first_pass remember=4 | |
| auth required pam_tally2.so deny=6 unlock_time=1800 ****** Adding ****** | |
| auth requisite pam_succeed_if.so uid >= 500 quiet | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account required pam_tally2.so ****** Adding ****** | |
| account sufficient pam_succeed_if.so uid < 500 quiet | |
| account required pam_permit.so | |
| password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 ***** Modified ****** | |
| password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |
| password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so | |
| FILE: /etc/pam.d/password-auth | |
| 1. Adding the following pam_tally 'auth' line above pam_unix.so to block locked accounts from having ssh | |
| access until their account is unlocked. | |
| 2. Appending the same values to pam_cracklib.so as above. | |
| #%PAM-1.0 | |
| # This file is auto-generated. | |
| # User changes will be destroyed the next time authconfig is run. | |
| auth required pam_env.so | |
| auth required pam_tally2.so deny=6 unlock_time=1800 ****** Adding ****** | |
| auth sufficient pam_unix.so nullok try_first_pass remember=4 | |
| auth requisite pam_succeed_if.so uid >= 500 quiet | |
| auth required pam_deny.so | |
| account required pam_unix.so | |
| account sufficient pam_localuser.so | |
| account required pam_tally2.so ****** Adding ****** | |
| account sufficient pam_succeed_if.so uid < 500 quiet | |
| account required pam_permit.so | |
| password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 ****** Modified ****** | |
| password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok | |
| password required pam_deny.so | |
| session optional pam_keyinit.so revoke | |
| session required pam_limits.so | |
| session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | |
| session required pam_unix.so |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment