Ryfujk

Why is the 'in' operator throwing an error with a string literal instead of logging false?

How can I fix/modify my tub/shower combo so the water comes out of the showerhead?

How could indestructible materials be used in power generation?

Anagram holiday

Why doesn't H₄O²⁺ exist?

Combinations of multiple lists

SSH "lag" in LAN on some machines, mixed distros

I Accidentally Deleted a Stock Terminal Theme

Alternative to sending password over mail?

What is the most common color to indicate the input-field is disabled?

Why is Collection not simply treated as Collection<?>

How can I tell someone that I want to be his or her friend?

What mechanic is there to disable a threat instead of killing it?

Emailing HOD to enhance faculty application

Should I tell management that I intend to leave due to bad software development practices?

Can a rocket refuel on Mars from water?

How to model explosives?

In a spin, are both wings stalled?

Why do I get two different answers for this counting problem?

How can I make my BBEG immortal short of making them a Lich or Vampire?

Why can't we play rap on piano?

What to put in ESTA if staying in US for a few days before going on to Canada

Can one be a co-translator of a book, if he does not know the language that the book is translated into?

Fully-Firstable Anagram Sets

inactive option not working for pam_lastlog.so

Our security auditor is an idiot. How do I give him the information he wants?Make user home directory at gdm loginLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyAccount lockout setting in Centos 6Red Hat 6.5 - Login Errors After Security Hardeningpam_mount not working when logging in from ssh or consoleRestoring login account blocked by inactivityCentOS 7 SSH and 2FA (ESET Secure Authentication)SSH Lockout after failed login attemptsx2go session hangs if logging in using PBIS Open (Likewise Open)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

1

I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:

To lock out an account after 10 days of inactivity, add, as root,

the following line to the auth section of the /etc/pam.d/login file:

auth  required  pam_lastlog.so inactive=10

So, this is my /etc/pam.d/login :

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

auth       required     pam_lastlog.so inactive=10

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

-session   optional     pam_ck_connector.so

I log in through ssh as a user, and log out.

After that I set up the time 1 year in the future, as root logged in on TTY1:

# date --set "...."

# hwclock --systohc

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Any ideas what am I doing wrong here?

linux pam pci-dss

share|improve this question

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

bumped to the homepage by Community♦ 8 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

1

I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:

To lock out an account after 10 days of inactivity, add, as root,

the following line to the auth section of the /etc/pam.d/login file:

auth  required  pam_lastlog.so inactive=10

So, this is my /etc/pam.d/login :

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

auth       required     pam_lastlog.so inactive=10

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

-session   optional     pam_ck_connector.so

I log in through ssh as a user, and log out.

After that I set up the time 1 year in the future, as root logged in on TTY1:

# date --set "...."

# hwclock --systohc

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Any ideas what am I doing wrong here?

linux pam pci-dss

share|improve this question

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

bumped to the homepage by Community♦ 8 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:

To lock out an account after 10 days of inactivity, add, as root,

the following line to the auth section of the /etc/pam.d/login file:

auth  required  pam_lastlog.so inactive=10

So, this is my /etc/pam.d/login :

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

auth       required     pam_lastlog.so inactive=10

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

-session   optional     pam_ck_connector.so

I log in through ssh as a user, and log out.

After that I set up the time 1 year in the future, as root logged in on TTY1:

# date --set "...."

# hwclock --systohc

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Any ideas what am I doing wrong here?

linux pam pci-dss

share|improve this question

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

To lock out an account after 10 days of inactivity, add, as root,

the following line to the auth section of the /etc/pam.d/login file:

auth  required  pam_lastlog.so inactive=10

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

auth       required     pam_lastlog.so inactive=10

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    required     pam_namespace.so

session    optional     pam_keyinit.so force revoke

session    include      system-auth

-session   optional     pam_ck_connector.so

# date --set "...."

# hwclock --systohc

share|improve this question

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

share|improve this question

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

asked Aug 25 '15 at 23:58

Jakov SosicJakov Sosic

4,25921627

1 Answer
1

active

oldest

votes

0

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.

In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.

share|improve this answer

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
  
  – Jakov Sosic
  Aug 26 '15 at 16:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Please edit your question to include the up to date contents of login, sshd, and system-auth.
  
  – Andrew B
  Aug 26 '15 at 17:14
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f716795%2finactive-option-not-working-for-pam-lastlog-so%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.

In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.

share|improve this answer

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
  
  – Jakov Sosic
  Aug 26 '15 at 16:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Please edit your question to include the up to date contents of login, sshd, and system-auth.
  
  – Andrew B
  Aug 26 '15 at 17:14
  

  
  
  
  

add a comment | 

0

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.

In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.

share|improve this answer

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?
  
  – Jakov Sosic
  Aug 26 '15 at 16:10
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Please edit your question to include the up to date contents of login, sshd, and system-auth.
  
  – Andrew B
  Aug 26 '15 at 17:14
  

  
  
  
  

add a comment | 

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.

In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.

share|improve this answer

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118

share|improve this answer

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118

answered Aug 26 '15 at 8:17

Andrew BAndrew B

25.8k875118