[sudo-users] sudoers auto lock after a number of invalid login attempts
Todd C. Miller
Todd.Miller at courtesan.com
Mon Oct 11 08:48:05 EDT 2010
In message <AANLkTin_MsETN7wKEU_MDW4PfNamruSMoSw_UpeC4Thp at mail.gmail.com>
so spake Jonathan Sabo (jsabo):
> I'm just about to start looking through the archives for past request
> for this information but I wanted to ask again just the same...
> Could someone please point me to past posts on configuring or
> documents on implementing an autolock feature with sudoers if it's
> supported? I want to be able to lock out sudo after a number of
> invalid authentication attempts. Is that possible? Does it use
> pam_tally? Any links or additional information would be greatly
You can use pam_tally to achieve this, though the user won't get a
very nice error message at the moment. Try adding something like
the following to /etc/pam.d/sudo:
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=4 unlock_time=300 no_magic_root reset per_user
This will deny access after 4 failures, unlocking after 5 minutes.
You can also configure the number of failures on a per-user basis. E.g.
# faillog -u username -m max_number_of_failures
where username is the user you are configuring and max_number_of_failures
is a number.
Now, if I try to run sudo after too many failed attempts:
$ sudo id
[sudo] password for millert:
sudo: pam_acct_mgmt: 7
Sorry, try again.
[sudo] password for millert: ^C
sudo: 1 incorrect password attempt
Unfortunately, the error message is not very helpful and sudo keeps
prompting for a password even after pam_tally has rejected the user.
This will be fixed in sudo 1.7.5.
More information about the sudo-users