Freebsd auto locking users

Khachatur Shahinyan khachatur.shahinyan at arca.am
Tue Sep 16 06:32:20 UTC 2008 

Yes, pam_abl is the correct pam module to solve this problem. After 
reading its manual i was able to lock users and log the authentication 
failures. Thank You for help. But the password expiration and warning 
issues are still open.
Thank You
Khachatur Shahinyan

Tom Rhodes wrote:
> On Sat, 13 Sep 2008 15:26:10 +0500
> Khachatur Shahinyan <khachatur.shahinyan at arca.am> wrote:
>
>   
>> Tom Rhodes wrote:
>>     
>>> On Sat, 13 Sep 2008 11:35:21 +0500
>>> Khachatur Shahinyan <khachatur.shahinyan at arca.am> wrote:
>>>
>>>   
>>>       
>>>> Tom Rhodes wrote:
>>>>     
>>>>         
>>>>> On Sat, 13 Sep 2008 10:42:06 +0500
>>>>> Khachatur Shahinyan <khachatur.shahinyan at arca.am> wrote:
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>>>> Dear FreeBsd gurus, I have a problem concerning users password and 
>>>>>> authentication policies. The goal is
>>>>>> 1)make freebsd to lock users after 3 unsuccessful login attempts,
>>>>>> 2)force users to change their passwords every 90 days
>>>>>>
>>>>>> I've done such changes in Linux distros, with various PAM modules.But in 
>>>>>> Freebsd it seems that i need to use login.conf file. Here I made 
>>>>>> necessary changes in  that file:
>>>>>>  >>>>>>
>>>>>> default:\
>>>>>> .............
>>>>>> .............
>>>>>> .............      :login-retries=1:\
>>>>>> :passwordtime=90d:\
>>>>>> :warnpassword=7d:\
>>>>>> :warnexpire=7d:\
>>>>>>  >>>>>>> 
>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, 
>>>>>> no error messages, but after adding a test user I see no changes in the 
>>>>>> master.passwd file.
>>>>>> The fields which are reserved for password aging parameters are 0:0
>>>>>> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User 
>>>>>> &:/home/test:/bin/sh
>>>>>>
>>>>>> And the locking point does not work either, e.g. no matter how many 
>>>>>> times I input wrong password, I'm still able to login. :(
>>>>>> I cannot understand what I'm doing wrong, and what should be done solve 
>>>>>> this issues? I'm not an expert Freebsd administration, so any comments 
>>>>>> and suggestions are welcome.
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> You should be able to set these via the pw(8) utility.
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> Thank You for fast reply.
>>>>
>>>> Yes, some settings can be done via "pw", but it does not support auto 
>>>> locking.
>>>>
>>>>
>>>>     
>>>>         
>>> I'm about to be going to bed soon, but how did you accomplish
>>> this in Linux?  We have PAM configuration in /etc/pam.d, you
>>> may wish to look there.
>>>
>>>   
>>>       
>> We have few Redhat Linux machines, and solved this problem with faillog 
>> (http://linux.die.net/man/8/faillog), and pam tally 
>> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html). 
>> It took over 30 minutes to fully configure the system. But in case of 
>> FreeBsd, it does not seem to be that easy :)
>>
>>     
>
> Someone mentioned this port:
>
> security/pam_abl
>
> The description of this pam module is:
>
> localhost# cat /usr/ports/security/pam_abl/pkg-descr 
> The pam_abl provides auto blacklisting of hosts and users
> responsible for repeated failed authentication attempts.
>
> WWW: http://www.hexten.net/pam_abl/
>
> Which sounds interesting and most likely do what you want.
>
>

More information about the freebsd-security mailing list