摩托學園討論區

由 **yenjinc** » 週一 11月 13, 2006 8:25 pm

If you wanted to lock out users who failed at entering their passwords correctly after 『three』 attempts, you could use the pam_tally module in the 『/etc/pam.d/common-auth』 configuration file by adding two lines like this:

代碼: 選擇全部: auth required pam_tally.so no_magic_root account required pam_tally.so deny=3 no_magic_root

Then you need to create 『/var/log/faillog』 and set it to read/write only by root:

代碼: 選擇全部: # touch /var/log/faillog # chmod 600 /var/log/faillog

You can type 『pam_tally --help』 as root to learn about its usage.
To reset the tally for a user and unlock his account, type 『pam_tally --user username --reset』.

Examples:

代碼: 選擇全部: cyj@PBG4:~$ cat /etc/pam.d/common-auth # auth required pam_unix.so nullok_secure auth required pam_tally.so no_magic_root account required pam_tally.so deny=1 no_magic_root

代碼: 選擇全部: Debian GNU/Linux 3.1 PBG4 tty1 PBG4 login: cyj Password: Login incorrect PBG4 login: cyj Password: Login incorrect PBG4 login: cyj Password: Authentication failure

代碼: 選擇全部: Debian GNU/Linux 3.1 PBG4 tty1 PBG4 login: root Password: PBG4:~# pam_tally --user cyj User cyj (1000) has 3 PBG4:~# pam_tally --user cyj --reset=0 User cyj (1000) had 3 PBG4:~# pam_tally --user cyj User cyj (1000) has 0 PBG4:~#

代碼: 選擇全部: Debian GNU/Linux 3.1 PBG4 tty1 PBG4 login: cyj Password: cyj@PBG4:~$

See Also:
http://www.kernel.org/pub/linux/libs/pa ... -PAM-html/
http://www.kernel.org/pub/linux/libs/pa ... tally.html

由阿信 » 週二 11月 14, 2006 8:55 am

感謝分享，這一篇相當有用 :finger1:

摩托學園討論區

[簡易使用] pam_tally - login counter (tallying) module

[簡易使用] pam_tally - login counter (tallying) module

誰在線上