Saturday, June 30, 2012

How to change PAM settings that have tightened in Oracle Linux 5.7

How to change PAM settings that have tightened in Oracle Linux 5.7?


First deployment of Exadata 11.2.3.1.X and later, the Oracle Linux have been upgraded to version 5.7 which was having a little bit different locking mechanism or we can just say "the PAM settings tightened in OEL 5.7".


What does it means PAM settings tightened in OEL 5.7 ? 
When try to login (can be as root) with a wrong password, the user root account will be locked up until 10 minutes / 600 seconds before we can try to login again (Connection retries must wait 10 minutes / 600 seconds between retries can occur).


How do we change that PAM / security settings in OEL 5.7?

In modern Linux distributions, the default security mechanism governing SSH connections is the PAM service.
This service mainly uses one configuration file to drive the wait time and lockout value when too many incorrect connections are attempted: 
/etc/pam.d/sshd


Basically one line is used to define these timeouts/lockouts:
auth required pam_tally2.so deny=5 onerr=fail lock_time=600


The values to note are:
auth required pam_tally2.so deny=5 onerr=fail lock_time=600

The value set in the "deny" parameter governs how many attempts can be made to login using a user account before that account is locked. In this case it is set to 5 retries.
The value set in "lock_time" is the parameter which governs how long one must wait before attempting to log in again. This value appears to be set much higher than in the past- which is a result of "hardening" the SSH login process, and to discourage attempts to "guess" the password.

Both values can be altered. Setting them as follows causes the behavior noted:  
auth required pam_tally2.so deny=3 onerr=fail lock_time=10
In this case- you would only have 3 attempts to login using an account before that account is locked.
Also- the time you will be forced to wait before attempting another login is now reduced from 10 minutes (600 seconds) to 10 seconds.

After making changes to this file, the changes will only become effective when the following command is issued by the "root" user: 
# services sshd restart


- wdanyant -
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)