inactive option not working for pam_lastlog.soOur security auditor is an idiot. How do I give him the...

Why is the 'in' operator throwing an error with a string literal instead of logging false?

How can I fix/modify my tub/shower combo so the water comes out of the showerhead?

How could indestructible materials be used in power generation?

Anagram holiday

Why doesn't H₄O²⁺ exist?

Combinations of multiple lists

SSH "lag" in LAN on some machines, mixed distros

I Accidentally Deleted a Stock Terminal Theme

Alternative to sending password over mail?

What is the most common color to indicate the input-field is disabled?

Why is Collection not simply treated as Collection<?>

How can I tell someone that I want to be his or her friend?

What mechanic is there to disable a threat instead of killing it?

Emailing HOD to enhance faculty application

Should I tell management that I intend to leave due to bad software development practices?

Can a rocket refuel on Mars from water?

How to model explosives?

In a spin, are both wings stalled?

Why do I get two different answers for this counting problem?

How can I make my BBEG immortal short of making them a Lich or Vampire?

Why can't we play rap on piano?

What to put in ESTA if staying in US for a few days before going on to Canada

Can one be a co-translator of a book, if he does not know the language that the book is translated into?

Fully-Firstable Anagram Sets



inactive option not working for pam_lastlog.so


Our security auditor is an idiot. How do I give him the information he wants?Make user home directory at gdm loginLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyAccount lockout setting in Centos 6Red Hat 6.5 - Login Errors After Security Hardeningpam_mount not working when logging in from ssh or consoleRestoring login account blocked by inactivityCentOS 7 SSH and 2FA (ESET Secure Authentication)SSH Lockout after failed login attemptsx2go session hangs if logging in using PBIS Open (Likewise Open)






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:



To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth required pam_lastlog.so inactive=10


So, this is my /etc/pam.d/login :



#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_lastlog.so inactive=10
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so


I log in through ssh as a user, and log out.



After that I set up the time 1 year in the future, as root logged in on TTY1:



# date --set "...."
# hwclock --systohc


I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.



Any ideas what am I doing wrong here?










share|improve this question














bumped to the homepage by Community 8 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.






















    1















    I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:



    To lock out an account after 10 days of inactivity, add, as root,
    the following line to the auth section of the /etc/pam.d/login file:
    auth required pam_lastlog.so inactive=10


    So, this is my /etc/pam.d/login :



    #%PAM-1.0
    auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
    auth include system-auth
    auth required pam_lastlog.so inactive=10
    account required pam_nologin.so
    account include system-auth
    password include system-auth
    # pam_selinux.so close should be the first session rule
    session required pam_selinux.so close
    session required pam_loginuid.so
    session optional pam_console.so
    # pam_selinux.so open should only be followed by sessions to be executed in the user context
    session required pam_selinux.so open
    session required pam_namespace.so
    session optional pam_keyinit.so force revoke
    session include system-auth
    -session optional pam_ck_connector.so


    I log in through ssh as a user, and log out.



    After that I set up the time 1 year in the future, as root logged in on TTY1:



    # date --set "...."
    # hwclock --systohc


    I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.



    Any ideas what am I doing wrong here?










    share|improve this question














    bumped to the homepage by Community 8 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      1












      1








      1








      I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:



      To lock out an account after 10 days of inactivity, add, as root,
      the following line to the auth section of the /etc/pam.d/login file:
      auth required pam_lastlog.so inactive=10


      So, this is my /etc/pam.d/login :



      #%PAM-1.0
      auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
      auth include system-auth
      auth required pam_lastlog.so inactive=10
      account required pam_nologin.so
      account include system-auth
      password include system-auth
      # pam_selinux.so close should be the first session rule
      session required pam_selinux.so close
      session required pam_loginuid.so
      session optional pam_console.so
      # pam_selinux.so open should only be followed by sessions to be executed in the user context
      session required pam_selinux.so open
      session required pam_namespace.so
      session optional pam_keyinit.so force revoke
      session include system-auth
      -session optional pam_ck_connector.so


      I log in through ssh as a user, and log out.



      After that I set up the time 1 year in the future, as root logged in on TTY1:



      # date --set "...."
      # hwclock --systohc


      I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.



      Any ideas what am I doing wrong here?










      share|improve this question














      I'm trying to set up my system to lock out inactive users after 10 days. I'm using CentOS 6.x, and looking at RHEL manual, this is what I found:



      To lock out an account after 10 days of inactivity, add, as root,
      the following line to the auth section of the /etc/pam.d/login file:
      auth required pam_lastlog.so inactive=10


      So, this is my /etc/pam.d/login :



      #%PAM-1.0
      auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
      auth include system-auth
      auth required pam_lastlog.so inactive=10
      account required pam_nologin.so
      account include system-auth
      password include system-auth
      # pam_selinux.so close should be the first session rule
      session required pam_selinux.so close
      session required pam_loginuid.so
      session optional pam_console.so
      # pam_selinux.so open should only be followed by sessions to be executed in the user context
      session required pam_selinux.so open
      session required pam_namespace.so
      session optional pam_keyinit.so force revoke
      session include system-auth
      -session optional pam_ck_connector.so


      I log in through ssh as a user, and log out.



      After that I set up the time 1 year in the future, as root logged in on TTY1:



      # date --set "...."
      # hwclock --systohc


      I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.



      Any ideas what am I doing wrong here?







      linux pam pci-dss






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Aug 25 '15 at 23:58









      Jakov SosicJakov Sosic

      4,25921627




      4,25921627





      bumped to the homepage by Community 8 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 8 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0















          I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.




          Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.



          In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.






          share|improve this answer
























          • Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

            – Jakov Sosic
            Aug 26 '15 at 16:10











          • Please edit your question to include the up to date contents of login, sshd, and system-auth.

            – Andrew B
            Aug 26 '15 at 17:14












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f716795%2finactive-option-not-working-for-pam-lastlog-so%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0















          I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.




          Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.



          In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.






          share|improve this answer
























          • Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

            – Jakov Sosic
            Aug 26 '15 at 16:10











          • Please edit your question to include the up to date contents of login, sshd, and system-auth.

            – Andrew B
            Aug 26 '15 at 17:14
















          0















          I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.




          Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.



          In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.






          share|improve this answer
























          • Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

            – Jakov Sosic
            Aug 26 '15 at 16:10











          • Please edit your question to include the up to date contents of login, sshd, and system-auth.

            – Andrew B
            Aug 26 '15 at 17:14














          0












          0








          0








          I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.




          Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.



          In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.






          share|improve this answer














          I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.




          Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.



          In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Aug 26 '15 at 8:17









          Andrew BAndrew B

          25.8k875118




          25.8k875118













          • Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

            – Jakov Sosic
            Aug 26 '15 at 16:10











          • Please edit your question to include the up to date contents of login, sshd, and system-auth.

            – Andrew B
            Aug 26 '15 at 17:14



















          • Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

            – Jakov Sosic
            Aug 26 '15 at 16:10











          • Please edit your question to include the up to date contents of login, sshd, and system-auth.

            – Andrew B
            Aug 26 '15 at 17:14

















          Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

          – Jakov Sosic
          Aug 26 '15 at 16:10





          Then, documentation is not correct. I've moved line from /etc/pam.d/login to /etc/pam.d/password-auth, which is included at top of the login file, and now it works for SSHD, but it doesn't work for console logins. Do I need to have it at two places, although login clearly states 'include system-auth'?

          – Jakov Sosic
          Aug 26 '15 at 16:10













          Please edit your question to include the up to date contents of login, sshd, and system-auth.

          – Andrew B
          Aug 26 '15 at 17:14





          Please edit your question to include the up to date contents of login, sshd, and system-auth.

          – Andrew B
          Aug 26 '15 at 17:14


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f716795%2finactive-option-not-working-for-pam-lastlog-so%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Список ссавців Італії Природоохоронні статуси | Список |...

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...