jason-idk · February 1, 2018 03:47
diff --git a/pam_tally2.txt b/pam_tally2.txt
 Enabling pam_tally2 on RHEL/CentOS 6:

 It is important to understand that if you place the pam_tally2 entries in the same order in
 both /etc/pam.d/system-auth and /etc/pam.d/password-auth and use sudo, your account
 will be marked as a failed login from tally even if the password is correct.

 Please edit the following files accordingly:

 FILE ---> /etc/pam.d/system-auth:

 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required pam_env.so
 auth sufficient pam_fprintd.so
 auth sufficient pam_unix.so nullok try_first_pass remember=4
 auth required pam_tally2.so deny=6 unlock_time=1800 —— > After
 pam_unix.so (this prevents the tally from being counted on local auth)
 auth requisite pam_succeed_if.so uid >= 500 quiet
 auth required pam_deny.so
 account required pam_unix.so
 account sufficient pam_localuser.so
 account required pam_tally2.so
 account sufficient pam_succeed_if.so uid < 500 quiet
 account required pam_permit.so
 password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8
 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password required pam_deny.so
 session optional pam_keyinit.so revoke
 session required pam_limits.so
 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session required pam_unix.so



 FILE ---> /etc/pam.d/password-auth:

 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required pam_env.so
 auth required pam_tally2.so deny=6 unlock_time=1800 —— > Before
 pam_unix.so (While connecting via ssh, check pam_tally2 for a locked account.)
 auth sufficient pam_unix.so nullok try_first_pass remember=4
 auth requisite pam_succeed_if.so uid >= 500 quiet
 auth required pam_deny.so
 account required pam_unix.so
 account sufficient pam_localuser.so
 account required pam_tally2.so
 account sufficient pam_succeed_if.so uid < 500 quiet
 account required pam_permit.so
 password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8
 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password required pam_deny.so
 session optional pam_keyinit.so revoke
 session required pam_limits.so
 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session required pam_unix.so


 IMPORTANT:
 Password-auth is read in /etc/pam.d/sshd (or should be an include) and this is why we
 need the tally line read before local auth (system-auth).


 PCI Compliance Password and Account limitations:
 Some customers may ask you to setup their local account environment to be PCI
 compliant, here is a list of things to go through to get started...


 PASSWORD COMLPEXITY:
 **** Must use at least one occurrence of three of these four categories in the password: ****
 - uppercase alphabetic
 - lowercase alphabetic
 - numeric
 - special characters
 - minimum 8 characters


 In /etc/pam.d/system-auth we would modify the following:
 ---> 'pam_cracklib.so' line to include the following:
      password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8

 There are six character classes, minclass=3 says that at least 3 of these must be met when creating a passwd:
 - Upper-case characters
 - Lower-case characters
 - Digits
 - Special characters (for example, punctuation)
 - 8-bit characters (characters whose decimal code starts at 128 or below)
 - Number of repeated characters


 In addition to the above, we state that the password must be at least 8 characters in length. To change the default 
 lifetime of all users password before they must renew, we would need to edit the following entry in the '/etc/login.defs' file...

 [root@server pam.d]# cat /etc/login.defs | grep -i 'pass_max'
 # PASS_MAX_DAYS Maximum number of days a password may be used.
 PASS_MAX_DAYS 99999 to 90


 EXAMPLE: Customer wanted to enable account locking locally and through SSH as well
 as setup password aging and complexity requirements.

 *** Changes to be made: ***

 FILE: /etc/login.defs (editing the following values to change the warning period and password lifetime.)
 # PASS_WARN_AGE Number of days warning given before a password expires.
 PASS_WARN_AGE 14
 # PASS_MAX_DAYS Maximum number of days a password may be used.
 PASS_MAX_DAYS 90



 FILE: /etc/ssh/sshd_config (adding the following line to block ssh access from a specific user)
 # Restrict user from SSH access to system. 
 DenyUsers user



 FILE: /etc/pam.d/system-auth
 1. Adding the following pam_tally 'auth' line below pam_unix.so to block locked accounts from having system
 level authentication access until the time limit has passed.

 2. Adding values to pam_cracklib.so to set the following values... minclass=3 (meet 3 classes of characters) 
 minlen=8 (password length minimum of 8)

 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required pam_env.so
 auth sufficient pam_fprintd.so
 auth sufficient pam_unix.so nullok try_first_pass remember=4
 auth required pam_tally2.so deny=6 unlock_time=1800 ****** Adding ******
 auth requisite pam_succeed_if.so uid >= 500 quiet
 auth required pam_deny.so
 account required pam_unix.so
 account sufficient pam_localuser.so
 account required pam_tally2.so ****** Adding ******
 account sufficient pam_succeed_if.so uid < 500 quiet
 account required pam_permit.so
 password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 ***** Modified ******
 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password required pam_deny.so
 session optional pam_keyinit.so revoke
 session required pam_limits.so
 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session required pam_unix.so



 FILE: /etc/pam.d/password-auth
 1. Adding the following pam_tally 'auth' line above pam_unix.so to block locked accounts from having ssh 
 access until their account is unlocked.
 2. Appending the same values to pam_cracklib.so as above.

 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth required pam_env.so
 auth required pam_tally2.so deny=6 unlock_time=1800 ****** Adding ******
 auth sufficient pam_unix.so nullok try_first_pass remember=4
 auth requisite pam_succeed_if.so uid >= 500 quiet
 auth required pam_deny.so
 account required pam_unix.so
 account sufficient pam_localuser.so
 account required pam_tally2.so ****** Adding ******
 account sufficient pam_succeed_if.so uid < 500 quiet
 account required pam_permit.so
 password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 ****** Modified ******
 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password required pam_deny.so
 session optional pam_keyinit.so revoke
 session required pam_limits.so
 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session required pam_unix.so
	Enabling pam_tally2 on RHEL/CentOS 6:

	It is important to understand that if you place the pam_tally2 entries in the same order in
	both /etc/pam.d/system-auth and /etc/pam.d/password-auth and use sudo, your account
	will be marked as a failed login from tally even if the password is correct.

	Please edit the following files accordingly:

	FILE ---> /etc/pam.d/system-auth:

	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth required pam_env.so
	auth sufficient pam_fprintd.so
	auth sufficient pam_unix.so nullok try_first_pass remember=4
	auth required pam_tally2.so deny=6 unlock_time=1800 —— > After
	pam_unix.so (this prevents the tally from being counted on local auth)
	auth requisite pam_succeed_if.so uid >= 500 quiet
	auth required pam_deny.so
	account required pam_unix.so
	account sufficient pam_localuser.so
	account required pam_tally2.so
	account sufficient pam_succeed_if.so uid < 500 quiet
	account required pam_permit.so
	password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8
	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
	password required pam_deny.so
	session optional pam_keyinit.so revoke
	session required pam_limits.so
	session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session required pam_unix.so



	FILE ---> /etc/pam.d/password-auth:

	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth required pam_env.so
	auth required pam_tally2.so deny=6 unlock_time=1800 —— > Before
	pam_unix.so (While connecting via ssh, check pam_tally2 for a locked account.)
	auth sufficient pam_unix.so nullok try_first_pass remember=4
	auth requisite pam_succeed_if.so uid >= 500 quiet
	auth required pam_deny.so
	account required pam_unix.so
	account sufficient pam_localuser.so
	account required pam_tally2.so
	account sufficient pam_succeed_if.so uid < 500 quiet
	account required pam_permit.so
	password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8
	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
	password required pam_deny.so
	session optional pam_keyinit.so revoke
	session required pam_limits.so
	session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session required pam_unix.so


	IMPORTANT:
	Password-auth is read in /etc/pam.d/sshd (or should be an include) and this is why we
	need the tally line read before local auth (system-auth).


	PCI Compliance Password and Account limitations:
	Some customers may ask you to setup their local account environment to be PCI
	compliant, here is a list of things to go through to get started...


	PASSWORD COMLPEXITY:
	** Must use at least one occurrence of three of these four categories in the password: **
	- uppercase alphabetic
	- lowercase alphabetic
	- numeric
	- special characters
	- minimum 8 characters


	In /etc/pam.d/system-auth we would modify the following:
	---> 'pam_cracklib.so' line to include the following:
	password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8

	There are six character classes, minclass=3 says that at least 3 of these must be met when creating a passwd:
	- Upper-case characters
	- Lower-case characters
	- Digits
	- Special characters (for example, punctuation)
	- 8-bit characters (characters whose decimal code starts at 128 or below)
	- Number of repeated characters


	In addition to the above, we state that the password must be at least 8 characters in length. To change the default
	lifetime of all users password before they must renew, we would need to edit the following entry in the '/etc/login.defs' file...

	[root@server pam.d]# cat /etc/login.defs \| grep -i 'pass_max'
	# PASS_MAX_DAYS Maximum number of days a password may be used.
	PASS_MAX_DAYS 99999 to 90


	EXAMPLE: Customer wanted to enable account locking locally and through SSH as well
	as setup password aging and complexity requirements.

	* Changes to be made: *

	FILE: /etc/login.defs (editing the following values to change the warning period and password lifetime.)
	# PASS_WARN_AGE Number of days warning given before a password expires.
	PASS_WARN_AGE 14
	# PASS_MAX_DAYS Maximum number of days a password may be used.
	PASS_MAX_DAYS 90



	FILE: /etc/ssh/sshd_config (adding the following line to block ssh access from a specific user)
	# Restrict user from SSH access to system.
	DenyUsers user



	FILE: /etc/pam.d/system-auth
	1. Adding the following pam_tally 'auth' line below pam_unix.so to block locked accounts from having system
	level authentication access until the time limit has passed.

	2. Adding values to pam_cracklib.so to set the following values... minclass=3 (meet 3 classes of characters)
	minlen=8 (password length minimum of 8)

	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth required pam_env.so
	auth sufficient pam_fprintd.so
	auth sufficient pam_unix.so nullok try_first_pass remember=4
	auth required pam_tally2.so deny=6 unlock_time=1800 **** Adding ****
	auth requisite pam_succeed_if.so uid >= 500 quiet
	auth required pam_deny.so
	account required pam_unix.so
	account sufficient pam_localuser.so
	account required pam_tally2.so **** Adding ****
	account sufficient pam_succeed_if.so uid < 500 quiet
	account required pam_permit.so
	password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 *** Modified ****
	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
	password required pam_deny.so
	session optional pam_keyinit.so revoke
	session required pam_limits.so
	session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session required pam_unix.so



	FILE: /etc/pam.d/password-auth
	1. Adding the following pam_tally 'auth' line above pam_unix.so to block locked accounts from having ssh
	access until their account is unlocked.
	2. Appending the same values to pam_cracklib.so as above.

	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth required pam_env.so
	auth required pam_tally2.so deny=6 unlock_time=1800 **** Adding ****
	auth sufficient pam_unix.so nullok try_first_pass remember=4
	auth requisite pam_succeed_if.so uid >= 500 quiet
	auth required pam_deny.so
	account required pam_unix.so
	account sufficient pam_localuser.so
	account required pam_tally2.so **** Adding ****
	account sufficient pam_succeed_if.so uid < 500 quiet
	account required pam_permit.so
	password requisite pam_cracklib.so try_first_pass retry=3 type= minclass=3 minlen=8 **** Modified ****
	password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
	password required pam_deny.so
	session optional pam_keyinit.so revoke
	session required pam_limits.so
	session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session required pam_unix.so