I'm new to CentOS (and to this forum) and have a few rather general questions about pam.d and pam_faillock.so and at the same time want to share my experience with enabling the latter.
(I guess that this should go without saying, but use the configuration below at your own risk. Be aware that you could lock yourself out of your own system by manipulating the files mentioned below.)
To begin with, I tried to enable pam_faillock.so on a new CentOS 7 installation according to the RHEL 7 Security Guide (see 4.1.3 Locking User Acounts After Failed Login Attempts), but that particular part of the mentioned manual seems to contain so many errors that I considered writing Red Hat about it (I am aware that CentOS is not RHEL). I'm just looking for another opinion on this ...
It begins with the creation of symbolic links to ensure that running authconfig does not break the configuration of pam_faillock.so. The manual says you should create the following symbolic links ...
Code: Select all
ln -s /etc/pam.d/system-auth /etc/pam.d/system-auth-local
ln -s /etc/pam.d/password-auth /etc/pam.d/password-auth-local
Code: Select all
unlink /etc/pam.d/system-auth && ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
unlink /etc/pam.d/password-auth && ln -s /etc/pam.d/password-auth-local /etc/pam.d/password-auth
Code: Select all
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 include system-auth-ac
auth [default=die] pam_faillock.so authfail silent audit deny=3 unlock_time=600
account required pam_faillock.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
(With the addition of even_deny_root and I shortened the unlock time to one minute, as I basically see this as a way to block potential brute force attacks.)
Code: Select all
auth requisite pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
auth include system-auth-ac
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
account required pam_faillock.so
account include system-auth-ac
password include system-auth-ac
session include system-auth-ac
(Those sections are actually identical in the default configuration of both files, but I guess that it should include the correct corresponding file nevertheless, meaning password-auth-ac in the case of password-auth-local.)
Three more questions:
Isn't it a security issue that "pam_unix.so nullok" (enable empty passwords) is enabled by default in system-auth and password-auth?
What is the point of "auth requisite pam_succeed_if.so uid >= 1000 quiet_success" (I do understand what this does, but I'm curious why it's needed)?
And doesn't this make the last line "auth required pam_deny.so" redundant?
Best Regards,
rene