Freebsd auto locking users
Khachatur Shahinyan
khachatur.shahinyan at arca.am
Tue Sep 16 06:32:20 UTC 2008
Yes, pam_abl is the correct pam module to solve this problem. After
reading its manual i was able to lock users and log the authentication
failures. Thank You for help. But the password expiration and warning
issues are still open.
Thank You
Khachatur Shahinyan
Tom Rhodes wrote:
> On Sat, 13 Sep 2008 15:26:10 +0500
> Khachatur Shahinyan <khachatur.shahinyan at arca.am> wrote:
>
>
>> Tom Rhodes wrote:
>>
>>> On Sat, 13 Sep 2008 11:35:21 +0500
>>> Khachatur Shahinyan <khachatur.shahinyan at arca.am> wrote:
>>>
>>>
>>>
>>>> Tom Rhodes wrote:
>>>>
>>>>
>>>>> On Sat, 13 Sep 2008 10:42:06 +0500
>>>>> Khachatur Shahinyan <khachatur.shahinyan at arca.am> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Dear FreeBsd gurus, I have a problem concerning users password and
>>>>>> authentication policies. The goal is
>>>>>> 1)make freebsd to lock users after 3 unsuccessful login attempts,
>>>>>> 2)force users to change their passwords every 90 days
>>>>>>
>>>>>> I've done such changes in Linux distros, with various PAM modules.But in
>>>>>> Freebsd it seems that i need to use login.conf file. Here I made
>>>>>> necessary changes in that file:
>>>>>> >>>>>>
>>>>>> default:\
>>>>>> .............
>>>>>> .............
>>>>>> ............. :login-retries=1:\
>>>>>> :passwordtime=90d:\
>>>>>> :warnpassword=7d:\
>>>>>> :warnexpire=7d:\
>>>>>> >>>>>>>
>>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal,
>>>>>> no error messages, but after adding a test user I see no changes in the
>>>>>> master.passwd file.
>>>>>> The fields which are reserved for password aging parameters are 0:0
>>>>>> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User
>>>>>> &:/home/test:/bin/sh
>>>>>>
>>>>>> And the locking point does not work either, e.g. no matter how many
>>>>>> times I input wrong password, I'm still able to login. :(
>>>>>> I cannot understand what I'm doing wrong, and what should be done solve
>>>>>> this issues? I'm not an expert Freebsd administration, so any comments
>>>>>> and suggestions are welcome.
>>>>>>
>>>>>>
>>>>>>
>>>>> You should be able to set these via the pw(8) utility.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Thank You for fast reply.
>>>>
>>>> Yes, some settings can be done via "pw", but it does not support auto
>>>> locking.
>>>>
>>>>
>>>>
>>>>
>>> I'm about to be going to bed soon, but how did you accomplish
>>> this in Linux? We have PAM configuration in /etc/pam.d, you
>>> may wish to look there.
>>>
>>>
>>>
>> We have few Redhat Linux machines, and solved this problem with faillog
>> (http://linux.die.net/man/8/faillog), and pam tally
>> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html).
>> It took over 30 minutes to fully configure the system. But in case of
>> FreeBsd, it does not seem to be that easy :)
>>
>>
>
> Someone mentioned this port:
>
> security/pam_abl
>
> The description of this pam module is:
>
> localhost# cat /usr/ports/security/pam_abl/pkg-descr
> The pam_abl provides auto blacklisting of hosts and users
> responsible for repeated failed authentication attempts.
>
> WWW: http://www.hexten.net/pam_abl/
>
> Which sounds interesting and most likely do what you want.
>
>
More information about the freebsd-security
mailing list