[sudo-users] sudoers auto lock after a number of invalid login attempts

Todd C. Miller Todd.Miller at courtesan.com
Mon Oct 11 08:48:05 EDT 2010

In message <AANLkTin_MsETN7wKEU_MDW4PfNamruSMoSw_UpeC4Thp at mail.gmail.com>
	so spake Jonathan Sabo (jsabo):

> I'm just about to start looking through the archives for past request
> for this information but I wanted to ask again just the same...
> Could someone please point me to past posts on configuring or
> documents on implementing an autolock feature with sudoers if it's
> supported?  I want to be able to lock out sudo after a number of
> invalid authentication attempts.  Is that possible?  Does it use
> pam_tally?  Any links or additional information would be greatly
> appreciated.

You can use pam_tally to achieve this, though the user won't get a
very nice error message at the moment.  Try adding something like
the following to /etc/pam.d/sudo:

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=4 unlock_time=300 no_magic_root reset per_user

This will deny access after 4 failures, unlocking after 5 minutes.

You can also configure the number of failures on a per-user basis. E.g.

# faillog -u username -m max_number_of_failures

where username is the user you are configuring and max_number_of_failures
is a number.

Now, if I try to run sudo after too many failed attempts:

$ sudo id
[sudo] password for millert: 
sudo: pam_acct_mgmt: 7
Sorry, try again.
[sudo] password for millert: ^C
sudo: 1 incorrect password attempt

Unfortunately, the error message is not very helpful and sudo keeps
prompting for a password even after pam_tally has rejected the user.
This will be fixed in sudo 1.7.5.

 - todd

More information about the sudo-users mailing list