August 05, 2019
PAM is the standard module used by application for delegating authentication to the linux system credentials.
The steps involved in this type of auth are:
/etc/pam.d/are checked, inside configuration other pam modules may be defined.
The rules are specified in a space separated token list in the format:
type control module-path module-args
typespecifies the management group
Which can be one of:
controlflag controls how the success or failure of a module
Affects the overall authentication process:
module-pathgives the file name of the library to be found in
/lib*/security, in either absolute or relative path.
module-argscan be given to modify the PAM module behavour.
Since many services do authentication through pam you can configure the specific authentication behavior of any of these,
check out what’s inside
let’s choose the
sshd configuration file (this controls how pam plugs into the ssh server).
auth required pam_tally2.so deny=4 onerr=fail near the top of the file (so it won’t get overridden),
and then add the tally module in the module section (
account required pam_tally2.so).
Now try failing some ssh logins;
once you’ve done that you can check the error count with
tally2_pam -u <user>.
And if you want to reset it you can do so with
tally2_pam -u <user> -r.
So next time you need to configure a specific authentication pattern…
Remember, PAM is your friend!
Francesco Calo developing on linux in La Spezia.
Just a programming journey.