Re: pam_tally2 with sshd
Hi.
On Tue, 23 Feb 2016 14:52:59 -0600
Nicholas Geovanis <nickgeovanis@gmail.com> wrote:
> Debian 8 jessie.
> The goal is to block SSH logins with multiple incorrect password tries.
> I've added these lines to my /etc/pam.d/sshd file:
>
> auth optional pam_echo.so Before sshd pam_tally
> auth required pam_tally2.so file=/var/log/tallylog deny=3 audit
> onerr=fail
> auth optional pam_echo.so After sshd pam_tally
>
> I receive the pam_echo lines OK. But no matter what, failed passwords never
> increment the pam_tally2 failure count. "UsePAM yes" is specified in
> /etc/ssh/sshd_config. This must be the wrong location for pam_tally2.so but
> experiments haven't helped me find the right location. Has someone a
> working configuration they would share? Many thanks....Nick
A typical run-of-the-mill Jessie system here.
I just put your pam_tally2 configuration (I skipped pam_echo though)
into /etc/pam.d/sshd *before* the '@include common-auth' line.
Created /var/log/tallylog file.
Tested it with 'ssh -o PreferredAuthentications=password <host>'.
Everything worked as expected - i.e. PAM module
filled /var/log/tallylog with own blob, and /sbin/pam_tally2 shows
failed login counter increments.
Reco
Reply to: