✨ Tally2 maintains a count of failed login attempts for each user and can lock accounts if a threshold of failed attempts is reached. It provides a way for system administrators to enhance security by enforcing restrictions on user authentication attempts
✨ Access allows system administrators to define rules in the /etc/security/access.conf
configuration file that specify which users and groups are allowed or denied access to specific services or files on the system
✨ Pwquality checks the strength of user passwords against a set of predefined criteria, such as length, complexity, and age, and can reject weak or easily guessable passwords
pam_tally2
Locking your account if your password is wrong for more than nth number of times
vi /etc/pam.d/sshd
# Including this in the first line
auth required pam_tally2.so deny=3 unlock time=600
We can test the above by trying to login with a user (any other user than root)
If we enter a wrong password for more than 3 times, the account will be 'locked'. Even if we enter the correct password after 3 wrong attempts, we won't be able to access the user for 600 seconds
We can use the following command to see currently locked user
pam_tally2
Login Failures Latest failure From
user1 5 02/16/23 09:21:44 192.168.1.1
To reset the failures and unlock the account
pam_tally2 -u user1 --reset=0
pam_access
Adding the following line just under all of the auth
lines
account required pam_access.so
Now we can go to the .conf
file for access
vi /etc/security/access.conf
We will be able to see different examples in this file to set access settings
I have added the following at the end
124 -:user1:ALL
This will deny user1
to get access from all sources
So now if we try to login as the user1
it should force kick us out and not let us login
pam_pwquality
In the system-auth
config file
vi /etc/pam.d/system-auth
# At line 15
15 password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
We can include minlen=12
at the end and try to set the password for user2 to
12#$qwER
But the above is 8 letters not 12. That is true however as I have used a combination of numbers, upper and lower-case letters, and symbols, it added points per unique combination
There are 4 unique combinations in the above password so it will make,
8 + 4 = 12
We can also use the following conditions as well
- ucredit: The minimum credit requirement for uppercase letters in user passwords
- lcredit: The minimum credit requirement for lowercase letters in user passwords
- dcredit: The minimum credit requirement for digits (numbers) in user passwords
- ocredit:The minimum credit requirement for other (non-alphanumeric) characters in user passwords
Top comments (0)