Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Pam_tally2 not resetting failures on success

Tags:

debian

openvpn

pam

I'm using OpenVPN in combination with PAM for user auth via username/password. I have created a customised PAM file as follows:

auth required pam_unix.so shadow nodelay
auth requisite pam_succeed_if.so user ingroup vpn
auth required pam_tally2.so deny=5 lock_time=5 unlock_time=1800 even_deny_root
account required pam_unix.so

The PAM module correctly identifies users and authenticates them, allowing only VPN users to connect to the virtual network. The issue is that even though the users manage to successfully connect to the VPN, the tally counter keeps going up instead of resetting to 0 (found out with the help of the pam_tally2 command).

The auth.log doesn't log anything suspicious:

pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"
pam_succeed_if(openvpn:auth): requirement "user ingroup vpn" was met by user "test_user"

Working on Debian GNU/Linux 7 (wheezy).

Did I miss something? Is there a way to force resetting the tally counter?

like image 974
vrwolf Avatar asked Apr 07 '15 12:04

vrwolf

2 Answers

It seems I was required to add the following line:

account required pam_tally2.so

Just a side note: negative votes without explanations are the worst. It was obvious that I've written my configuration wrong, no need to downvote me for this unless someone would have been kind enough to point out my mistake.

like image 99
vrwolf Avatar answered Oct 15 '22 16:10

vrwolf

Ubuntu 16.04

Expected behavior - Three consecutive login failures will cause the system to lockout the ID. After 30 seconds, the ID is automatically unlocked.

Edit the /etc/pam.d/common-account file. Add the following line as the first executable line.

account required pam_tally2.so

Edit the /etc/pam.d/common-auth file. Add the following line (without) as the first executable line.

auth required pam_tally2.so deny=3 unlock_time=30

Edit the /etc/ssh/sshd_config file. Ensure the following name-value pairs are uncommented/set accordingly.

UsePAM yes
ChallengeResponseAuthentication yes
like image 45
user9489294 Avatar answered Oct 15 '22 16:10

user9489294
Sign in to Comment

Related questions

Allowing remote access to Elasticsearch
Building debian package for shell script
Set install path using dpkg
Why does strcpy_s not exist anywhere on my system?
Problems installing Python 3 with --enable-shared
How to build .deb .rpm .dmg etc with one script
Configuring issue when install a version of Ruby with RVM
apt-get : Identify all old version numbers of a package?
How to compile Python 2.4.6 with ssl, readline and zlib on Debian Lenny
How to launch a process with sudo by ProcessStartInfo?
Duplicati cannot backup to SSH on Debian after remote server update (Algorithm negotiation fail)
Debian 8. Failed to load iwlwifi
ElasticSearch on Raspberry Pi exited
docker - using python image, add the non-free Debian repo?
How do I install libraries for <stropts.h>?
Monit failing to start process
How to automatically satisfy dependencies in ".dsc" files while building debian package from source?
Is there a way to tell if python was configured and compiled with "--with-threads --enable-shared"?
Can't install my own ElasticSearch plugin
writing logs using crontab

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!