RHEL4.8 no notification on PAM lockout

Linux and Unix-Like Red Hat
1

Good day. I have setup hardening the password (test system so far) prior to doing any work on production. Here is what I have set.

Snippet from /etc/pam.d/system-auth

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_tally.so per_user deny=3 reset no_magic_root

The system is auto-locking the accounts as requested. However, it is giving no notifications to client. This is happening for console, ssh, and xorg login's.

I attempted to fix up sshd with modifying these settings in /etc/ssh/sshd_config:

PasswordAuthentication no 
ChallengeResponseAuthentication yes

Then restarting the sshd daemon with:
service sshd restart

No difference.
Any suggestions ?

2

Suggestions on what? How to get pam_tally to notify users when they are locked out? Notify how?

There is no support within PAM for notifying users when they are locked out by pam_tally or pam_tally2

3

Why would you want to inform them when people are locked out? Giving any information to someone trying to break in is a bad idea. They would know to move their attempts to a different account -- and would know to stop wasting their time on the locked-out one. And maybe even realize that you had handed everyone in the world the ability to lock out other people's accounts whenever they pleased. (i.e. why I feel lockouts are a terrible idea in general).

1 Like
4

Good point. I'll close out the thread then, as it is working as expected.