在Red Hat 6.x和CentOS 6.x中如何设置多次登录失败后锁定用户

时间:2019-08-20 17:58:26  来源:igfitidea点击:

在这里,我们将使用pam_tally2.so。来锁定那些多次登录失败的用户。

# cd /etc/pam.d
# cp -p password-auth-ac password-auth-ac.bak
# vi system-auth

password-auth只是password-auth-ac文件的软链接。可以使用 ls -la password-auth查看。

在password-auth-ac中,添加这两行:

auth required pam_tally2.so deny=3 unlock_time=36000 audit
account required pam_tally2.so

文件参考:

[root@localhost ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_tally2.so deny=3 unlock_time=36000 audit
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account required pam_tally2.so
account sufficient pam_succeed_if.so uid < 500 quietaccount required pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so[root@localhost ~]#

默认情况下,失败的日志保存在 /var/log/tallylog

查看用户的失败尝试次数

pam_tally2 -u username

重置登录失败的日志

pam_tally2 -u username –reset

查看pam_tally2.so的配置选项:

cat /usr/share/doc/pam-1.1.1/txts/README.pam_tally2