[solved] pam_tally2 not locking with graphical login

Support for security such as Firewalls and securing linux
Post Reply
squishyduck
Posts: 2
Joined: 2020/03/23 17:24:19

[solved] pam_tally2 not locking with graphical login

Post by squishyduck » 2020/03/23 17:55:50

Hello. I am taking a Linux Security class in school, and we are using "Mastering Linux Security and Hardening" by Donald Tevault as our text. The book has us create a CentOS 7 VM to use for the labs, and instructs us to install with GNOME or KDE desktop environments. I installed with GNOME.

In chapter 2 of the book for one of the labs, it has us configure it to lock the user account after 5 failed login attempts by adding the following line to /etc/pam.d/login
auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200

We are then try to login as one of the users we have created using bad passwords to initiate the account lock. We then login as our own user, and check for output using the following command

Code: Select all

sudo pam_tally2
I attempted to login with bad passwords in the graphical login screen, but after 4 attempts, it just puts me back to the screen with the list of users, and does not give me a message about the account being locked. I attempted the login 10 times, then logged in with my own account. Running the

Code: Select all

sudo pam_tally2
command did not provide any output.

I switched to tty2, and tried the experiment again from the console, and the account was successfully locked. I also was able to get output from the command and also unlock the account, so I was able to finish my lab for class.

But I don't understand why it wouldn't work with the graphical login. I thought maybe it was GDM, so I installed and enabled SDDM, but got the same result. Does anyone have any insight into why that would be? And if so, can you explain it to me? I was able to finish the lab for my class, but I really do enjoy learning everything I can about Linux, and my curiosity is burning.

Thank you for any help you can provide.
Last edited by squishyduck on 2020/03/23 23:18:46, edited 1 time in total.

chemal
Posts: 672
Joined: 2013/12/08 19:44:49

Re: pam_tally2 not locking with graphical login

Post by chemal » 2020/03/23 20:05:35

Code: Select all

$grep substack /etc/pam.d/*
/etc/pam.d/gdm-fingerprint:auth        substack      fingerprint-auth
/etc/pam.d/gdm-password:auth        substack      password-auth
/etc/pam.d/gdm-password:password    substack       password-auth
/etc/pam.d/gdm-pin:auth        substack      password-auth
/etc/pam.d/gdm-smartcard:auth        substack      smartcard-auth
/etc/pam.d/lightdm:auth       substack    system-auth
/etc/pam.d/login:auth       substack     system-auth
/etc/pam.d/passwd:password   substack   system-auth
/etc/pam.d/passwd:password   substack   postlogin
/etc/pam.d/remote:auth       substack     password-auth
/etc/pam.d/sshd:auth       substack     password-auth
/etc/pam.d/su:auth              substack        system-auth
 
Your additional line should go to both /etc/pam.d/system-auth and /etc/pam.d/password-auth. Then it should work for almost everything, because one of these files is used as a substack in the other configuration files.

squishyduck
Posts: 2
Joined: 2020/03/23 17:24:19

Re: pam_tally2 not locking with graphical login

Post by squishyduck » 2020/03/23 23:17:18

That worked! Awesome! Thank you so much for taking the time to reply. I really do appreciate it.

Post Reply

Return to “CentOS 7 - Security Support”