Ubuntu – Account lockout in Ubuntu

authenticationldappamUbuntu

I am trying to implement account lockout for Ubuntu systems using pam_tally. The login should be disabled for certain interval on 3 invalid login attempts. This should happen for both system and LDAP logins to the system.

(We have a working LDAP central authentication system where users from Ubuntu clients can authenticate)

How can we configure this ? I could see some articles on this for redhat but not ubuntu

Best Answer

If you have pam_tally configured already, you just need to add it to your /etc/pam.d/common-auth directory. Failed logins from LDAP should appear--to PAM--as the same as failed logins against your local machine. So just make sure you get the ordering correct:

auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account     required      /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset

(Adapt paths as necessary)

(source)

Related Solutions

Ubuntu – Restricting account logins using LDAP and PAM

PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac's answer (+1) regards the groups as posix groups, whether they're stored in LDAP, /etc/group or NIS.

/etc/security/access.conf is the access list file. In my file, I put at the end:

-:ALL EXCEPT root sysadmin (ssh-users):ALL

This denies everyone except root, sysadmin and in the group ssh-users (which is in LDAP) wherever they login from (the second ALL).

Then in my PAM account file (this IS an account module), I add at the very end:

account required pam_access.so

which tells PAM to use this file. It works a treat :-)

Ubuntu – Is it necessary to synchronize users between Ubuntu client and ldap

You should have an entry in nsswitch.conf using the ldap module for passwd. A user's passwd entry is unassociated with their authentication mechanism; it's just handy to keep them both in LDAP if that's a good solution for you.

passwd:      db ldap files

is a good entry.

You'll also need to make sure that your /etc/ldap.conf file is properly configured, although the defaults (except the base and host of course ;)) might work just fine. And lastly, ensure that the ldap nss module is installed.

Best Answer

Related Solutions

Ubuntu – Restricting account logins using LDAP and PAM

Ubuntu – Is it necessary to synchronize users between Ubuntu client and ldap

Related Topic