From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 06:32:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FF5B106576E for ; Tue, 16 Sep 2008 06:32:20 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.237]) by mx1.freebsd.org (Postfix) with ESMTP id E029B8FC0A for ; Tue, 16 Sep 2008 06:32:19 +0000 (UTC) (envelope-from khachatur.shahinyan@arca.am) Received: by qb-out-0506.google.com with SMTP id f30so2976551qba.35 for ; Mon, 15 Sep 2008 23:32:18 -0700 (PDT) Received: by 10.66.250.1 with SMTP id x1mr171112ugh.4.1221546737896; Mon, 15 Sep 2008 23:32:17 -0700 (PDT) Received: from ?192.168.1.80? ( [91.199.226.101]) by mx.google.com with ESMTPS id q40sm30968132ugc.8.2008.09.15.23.32.15 (version=SSLv3 cipher=RC4-MD5); Mon, 15 Sep 2008 23:32:15 -0700 (PDT) Message-ID: <48CF5298.9020601@arca.am> Date: Tue, 16 Sep 2008 11:30:48 +0500 From: Khachatur Shahinyan User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <48CB52AE.6070501@arca.am> <20080913021758.39d946c1.trhodes@FreeBSD.org> <48CB5F29.3040903@arca.am> <20080913053721.764ed614.trhodes@FreeBSD.org> <48CB9542.30008@arca.am> <20080914065041.3600784c.trhodes@FreeBSD.org> In-Reply-To: <20080914065041.3600784c.trhodes@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Tue, 16 Sep 2008 11:29:54 +0000 Subject: Re: Freebsd auto locking users X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2008 06:32:20 -0000 Yes, pam_abl is the correct pam module to solve this problem. After reading its manual i was able to lock users and log the authentication failures. Thank You for help. But the password expiration and warning issues are still open. Thank You Khachatur Shahinyan Tom Rhodes wrote: > On Sat, 13 Sep 2008 15:26:10 +0500 > Khachatur Shahinyan wrote: > > >> Tom Rhodes wrote: >> >>> On Sat, 13 Sep 2008 11:35:21 +0500 >>> Khachatur Shahinyan wrote: >>> >>> >>> >>>> Tom Rhodes wrote: >>>> >>>> >>>>> On Sat, 13 Sep 2008 10:42:06 +0500 >>>>> Khachatur Shahinyan wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Dear FreeBsd gurus, I have a problem concerning users password and >>>>>> authentication policies. The goal is >>>>>> 1)make freebsd to lock users after 3 unsuccessful login attempts, >>>>>> 2)force users to change their passwords every 90 days >>>>>> >>>>>> I've done such changes in Linux distros, with various PAM modules.But in >>>>>> Freebsd it seems that i need to use login.conf file. Here I made >>>>>> necessary changes in that file: >>>>>> >>>>>> >>>>>> default:\ >>>>>> ............. >>>>>> ............. >>>>>> ............. :login-retries=1:\ >>>>>> :passwordtime=90d:\ >>>>>> :warnpassword=7d:\ >>>>>> :warnexpire=7d:\ >>>>>> >>>>>>> >>>>>> Then I made the cap_mkdb /etc/login.conf , and everything went normal, >>>>>> no error messages, but after adding a test user I see no changes in the >>>>>> master.passwd file. >>>>>> The fields which are reserved for password aging parameters are 0:0 >>>>>> test:$1$F9yf.PuK$xqIsGEgK3MexpPZ4UBav0.:1001:1001::0:0:User >>>>>> &:/home/test:/bin/sh >>>>>> >>>>>> And the locking point does not work either, e.g. no matter how many >>>>>> times I input wrong password, I'm still able to login. :( >>>>>> I cannot understand what I'm doing wrong, and what should be done solve >>>>>> this issues? I'm not an expert Freebsd administration, so any comments >>>>>> and suggestions are welcome. >>>>>> >>>>>> >>>>>> >>>>> You should be able to set these via the pw(8) utility. >>>>> >>>>> >>>>> >>>>> >>>> Thank You for fast reply. >>>> >>>> Yes, some settings can be done via "pw", but it does not support auto >>>> locking. >>>> >>>> >>>> >>>> >>> I'm about to be going to bed soon, but how did you accomplish >>> this in Linux? We have PAM configuration in /etc/pam.d, you >>> may wish to look there. >>> >>> >>> >> We have few Redhat Linux machines, and solved this problem with faillog >> (http://linux.die.net/man/8/faillog), and pam tally >> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html). >> It took over 30 minutes to fully configure the system. But in case of >> FreeBsd, it does not seem to be that easy :) >> >> > > Someone mentioned this port: > > security/pam_abl > > The description of this pam module is: > > localhost# cat /usr/ports/security/pam_abl/pkg-descr > The pam_abl provides auto blacklisting of hosts and users > responsible for repeated failed authentication attempts. > > WWW: http://www.hexten.net/pam_abl/ > > Which sounds interesting and most likely do what you want. > >