我在每个策略登录3次失败后使用 pam_tally2来锁定帐户,但是,连接用户没有收到指示pam_tally2的操作的错误. (通过SSH.)

我希望在第4次尝试时看到：

Account locked due to 3 Failed logins

没有必要或必需的组合或文件中的顺序似乎有帮助.这是在Red Hat 6下,我使用的是/etc/pam.d/password-auth.锁定确实按预期工作,但用户没有收到上述错误.这会引起很多混乱和挫折,因为当他们确定使用正确的密码时,他们无法知道身份验证失败的原因.

实施遵循美国国家安全局的Guide to the Secure Conguration of Red Hat Enterprise Linux 5.(第45页)这是我的理解,那只有changed in PAM is that /etc/pam.d/sshd now includes /etc/pam.d/password-auth instead of system-auth.

If locking out accounts after a number of incorrect login attempts is required by your security policy,implement use of pam_tally2.so.

To enforce password lockout,add the following to /etc/pam.d/system-auth. First,add to the top of the auth lines:

06001

Second,add to the top of the account lines:

06002

编辑：

我通过在其中一次登录尝试期间重置pam_tally2来获取错误消息.

user@localhost's password: (bad password)
Permission denied,please try again.
user@localhost's password: (bad password)
Permission denied,please try again.

(从另一个shell重置pam_tally2)

user@localhost's password: (good password)
Account locked due to ...
Account locked due to ...
Last login: ...
[user@localhost ~]$