usermin not updating failed login attempts

4 posts / 0 new
Last post
#1 Tue, 10/21/2008 - 20:00
visu100

usermin not updating failed login attempts

We are using Usermin to change Linux & samba password for users. Password changing function works fine. But while the user initially logging in to change the password, if the user gives wrong password, it is not getting saved on the backed linux for failed logon. We have a set a policy for the user not to allow more than 6 wrong password attempts, afterwhich the user will have to automatically locked by giving proper error(for locking).

o/s - Redhat ES4 (2.6.9-55.ELsmp) webmin-1.210-1 usermin-1.360-1

/etc/pam.d/usermin : auth required pam_unix.so nullok auth required pam_tally.so deny=6 account required pam_unix.so account required pam_tally.so session required pam_unix.so

I think the second login, pam_tally.so is not at all taking effect(checking) while logging in the usermin session. Even if the user/password is locked in the back end (in linux), it is allowing the user to login and change password.

/etc/pam.d/system-auth :

%PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run.

auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_tally.so per_user deny=6 no_magic_root reset account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so

Solution needed:

1) While the user logging in, if he gives wrong password for 6 attempts, it has to properly logs in the /var/log/faillog and lock it after that.

2) If the user is locked, he should get proper error in the logon screen while trying to login, so that he contact system dept for further query.

please help me to get the above problem solved.

vis

Tue, 10/21/2008 - 21:16
Joe
Joe's picture

Do you have the PAM Perl module installed on your system? If not, Webmin and Usermin will not use PAM for authentication, and thus all PAM provided rules are ignored.

--

Check out the forum guidelines!

Tue, 10/21/2008 - 21:49 (Reply to #2)
visu100

I have perl-Authen-PAM-0.16 installed as rpm. how to tell / webmin &amp; usermin to make use of it.

Tue, 10/21/2008 - 23:19 (Reply to #3)
Joe
Joe's picture

It normally uses it by default, I think...but, it's in the Webmin and Usermin configuration pages. Click the &quot;Authentication&quot; icon, and enable it in the in the &quot;Use PAM for Unix authentication, if available&quot; field.

If that's already set, then I'm not sure. There's probably some coverage of it in the Webmin wiki. Yep:

http://doxfer.com/Webmin/WebminConfiguration#Configuring_authentication

Not much new though...

Also, I hope the Webmin version you've mentioned is a typo...1.210 is like two or three years old! Please run the latest version of both Webmin and Usermin.

--

Check out the forum guidelines!

Topic locked