DEV Community

Cover image for Using different PAM configuration
Waji
Waji

Posted on

Using different PAM configuration

Tally2 maintains a count of failed login attempts for each user and can lock accounts if a threshold of failed attempts is reached. It provides a way for system administrators to enhance security by enforcing restrictions on user authentication attempts

Access allows system administrators to define rules in the /etc/security/access.conf configuration file that specify which users and groups are allowed or denied access to specific services or files on the system

Pwquality checks the strength of user passwords against a set of predefined criteria, such as length, complexity, and age, and can reject weak or easily guessable passwords


pam_tally2

Locking your account if your password is wrong for more than nth number of times

vi /etc/pam.d/sshd

# Including this in the first line
auth       required     pam_tally2.so deny=3 unlock time=600
Enter fullscreen mode Exit fullscreen mode

We can test the above by trying to login with a user (any other user than root)

If we enter a wrong password for more than 3 times, the account will be 'locked'. Even if we enter the correct password after 3 wrong attempts, we won't be able to access the user for 600 seconds

We can use the following command to see currently locked user

pam_tally2

Login        Failures    Latest   failure    From
user1           5       02/16/23   09:21:44    192.168.1.1
Enter fullscreen mode Exit fullscreen mode

To reset the failures and unlock the account

pam_tally2 -u user1 --reset=0
Enter fullscreen mode Exit fullscreen mode

pam_access

Adding the following line just under all of the auth lines

account    required     pam_access.so
Enter fullscreen mode Exit fullscreen mode

Now we can go to the .conf file for access

vi /etc/security/access.conf
Enter fullscreen mode Exit fullscreen mode

We will be able to see different examples in this file to set access settings

I have added the following at the end

124 -:user1:ALL
Enter fullscreen mode Exit fullscreen mode

This will deny user1 to get access from all sources

So now if we try to login as the user1 it should force kick us out and not let us login


pam_pwquality

In the system-auth config file

vi /etc/pam.d/system-auth

# At line 15
     15 password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
Enter fullscreen mode Exit fullscreen mode

We can include minlen=12 at the end and try to set the password for user2 to

12#$qwER

But the above is 8 letters not 12. That is true however as I have used a combination of numbers, upper and lower-case letters, and symbols, it added points per unique combination

There are 4 unique combinations in the above password so it will make,

8 + 4 = 12

We can also use the following conditions as well

  • ucredit: The minimum credit requirement for uppercase letters in user passwords
  • lcredit: The minimum credit requirement for lowercase letters in user passwords
  • dcredit: The minimum credit requirement for digits (numbers) in user passwords
  • ocredit:The minimum credit requirement for other (non-alphanumeric) characters in user passwords

Top comments (0)