在Red Hat 6.x和CentOS 6.x中如何设置多次登录失败后锁定用户
时间:2019-08-20 17:58:26 来源:igfitidea点击:
在这里,我们将使用pam_tally2.so。来锁定那些多次登录失败的用户。
# cd /etc/pam.d # cp -p password-auth-ac password-auth-ac.bak # vi system-auth
password-auth只是password-auth-ac文件的软链接。可以使用
ls -la password-auth查看。
在password-auth-ac中,添加这两行:
auth required pam_tally2.so deny=3 unlock_time=36000 audit account required pam_tally2.so
文件参考:
[root@localhost ~]# cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth required pam_tally2.so deny=3 unlock_time=36000 audit auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account required pam_tally2.so account sufficient pam_succeed_if.so uid < 500 quietaccount required pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so[root@localhost ~]#
默认情况下,失败的日志保存在 /var/log/tallylog中
查看用户的失败尝试次数
pam_tally2 -u username
重置登录失败的日志
pam_tally2 -u username –reset
查看pam_tally2.so的配置选项:
cat /usr/share/doc/pam-1.1.1/txts/README.pam_tally2
