inactive option not working for pam_lastlog.soOur security auditor is an idiot. How do I give him the...
Why is the 'in' operator throwing an error with a string literal instead of logging false?
How can I fix/modify my tub/shower combo so the water comes out of the showerhead?
How could indestructible materials be used in power generation?
Anagram holiday
Why doesn't H₄O²⁺ exist?
Combinations of multiple lists
SSH "lag" in LAN on some machines, mixed distros
I Accidentally Deleted a Stock Terminal Theme
Alternative to sending password over mail?
What is the most common color to indicate the input-field is disabled?
Why is Collection not simply treated as Collection<?>
How can I tell someone that I want to be his or her friend?
What mechanic is there to disable a threat instead of killing it?
Emailing HOD to enhance faculty application
Should I tell management that I intend to leave due to bad software development practices?
Can a rocket refuel on Mars from water?
How to model explosives?
In a spin, are both wings stalled?
Why do I get two different answers for this counting problem?
How can I make my BBEG immortal short of making them a Lich or Vampire?
Why can't we play rap on piano?
What to put in ESTA if staying in US for a few days before going on to Canada
Can one be a co-translator of a book, if he does not know the language that the book is translated into?
Fully-Firstable Anagram Sets
inactive option not working for pam_lastlog.so
Our security auditor is an idiot. How do I give him the information he wants?Make user home directory at gdm loginLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyAccount lockout setting in Centos 6Red Hat 6.5 - Login Errors After Security Hardeningpam_mount not working when logging in from ssh or consoleRestoring login account blocked by inactivityCentOS 7 SSH and 2FA (ESET Secure Authentication)SSH Lockout after failed login attemptsx2go session hangs if logging in using PBIS Open (Likewise Open)
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:
To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth required pam_lastlog.so inactive=10
So, this is my /etc/pam.d/login :
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_lastlog.so inactive=10
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
I log in through ssh as a user, and log out.
After that I set up the time 1 year in the future, as root logged in on TTY1:
# date --set "...."
# hwclock --systohc
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Any ideas what am I doing wrong here?
linux pam pci-dss
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:
To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth required pam_lastlog.so inactive=10
So, this is my /etc/pam.d/login :
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_lastlog.so inactive=10
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
I log in through ssh as a user, and log out.
After that I set up the time 1 year in the future, as root logged in on TTY1:
# date --set "...."
# hwclock --systohc
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Any ideas what am I doing wrong here?
linux pam pci-dss
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:
To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth required pam_lastlog.so inactive=10
So, this is my /etc/pam.d/login :
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_lastlog.so inactive=10
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
I log in through ssh as a user, and log out.
After that I set up the time 1 year in the future, as root logged in on TTY1:
# date --set "...."
# hwclock --systohc
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Any ideas what am I doing wrong here?
linux pam pci-dss
I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:
To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth required pam_lastlog.so inactive=10
So, this is my /etc/pam.d/login :
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_lastlog.so inactive=10
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
I log in through ssh as a user, and log out.
After that I set up the time 1 year in the future, as root logged in on TTY1:
# date --set "...."
# hwclock --systohc
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Any ideas what am I doing wrong here?
linux pam pci-dss
linux pam pci-dss
asked Aug 25 '15 at 23:58
Jakov SosicJakov Sosic
4,25921627
4,25921627
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Apples and oranges. You're editing the login
file, but you're performing tests against sshd
. The sshd daemon calls the PAM library directly with a service name of sshd
, thus the identically named file is used.
In the event that you were not aware that the login
file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login
is recommended reading material.
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Please edit your question to include the up to date contents oflogin
,sshd
, andsystem-auth.
– Andrew B
Aug 26 '15 at 17:14
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f716795%2finactive-option-not-working-for-pam-lastlog-so%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Apples and oranges. You're editing the login
file, but you're performing tests against sshd
. The sshd daemon calls the PAM library directly with a service name of sshd
, thus the identically named file is used.
In the event that you were not aware that the login
file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login
is recommended reading material.
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Please edit your question to include the up to date contents oflogin
,sshd
, andsystem-auth.
– Andrew B
Aug 26 '15 at 17:14
add a comment |
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Apples and oranges. You're editing the login
file, but you're performing tests against sshd
. The sshd daemon calls the PAM library directly with a service name of sshd
, thus the identically named file is used.
In the event that you were not aware that the login
file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login
is recommended reading material.
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Please edit your question to include the up to date contents oflogin
,sshd
, andsystem-auth.
– Andrew B
Aug 26 '15 at 17:14
add a comment |
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Apples and oranges. You're editing the login
file, but you're performing tests against sshd
. The sshd daemon calls the PAM library directly with a service name of sshd
, thus the identically named file is used.
In the event that you were not aware that the login
file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login
is recommended reading material.
I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.
Apples and oranges. You're editing the login
file, but you're performing tests against sshd
. The sshd daemon calls the PAM library directly with a service name of sshd
, thus the identically named file is used.
In the event that you were not aware that the login
file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login
is recommended reading material.
answered Aug 26 '15 at 8:17
Andrew BAndrew B
25.8k875118
25.8k875118
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Please edit your question to include the up to date contents oflogin
,sshd
, andsystem-auth.
– Andrew B
Aug 26 '15 at 17:14
add a comment |
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Please edit your question to include the up to date contents oflogin
,sshd
, andsystem-auth.
– Andrew B
Aug 26 '15 at 17:14
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
– Jakov Sosic
Aug 26 '15 at 16:10
Please edit your question to include the up to date contents of
login
, sshd
, and system-auth.
– Andrew B
Aug 26 '15 at 17:14
Please edit your question to include the up to date contents of
login
, sshd
, and system-auth.
– Andrew B
Aug 26 '15 at 17:14
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f716795%2finactive-option-not-working-for-pam-lastlog-so%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown