我最近安装了一台 Ubuntu VM 来玩,并决定要更好地了解故障锁定。我阅读了故障锁定和 pam_faillock 的手册页,感觉我遵循了说明,但根据我的结果,我肯定错过了什么。
我正在运行 Ubuntu 20.04.4 LTS。这些是我所做的配置文件更改(基于手册页)
$ grep -v '#' /etc/security/faillock.conf
dir = /var/run/faillock
audit
silent
deny = 3
fail_interval = 900
unlock_time = 120
$ grep faillock /etc/pam.d/login
auth required pam_faillock.so preauth
auth [default=die] pam_faillock.so authfail
account required pam_faillock.so
$ sudo faillock
faillock: Error reading tally directory: No such file or directory
显然我可以创建 tally 目录。但我想如果我正确地完成了所有事情 - 某些东西会帮我创建它。
我刚才继续创建它。我用一个测试帐户 ssh 到主机,使用了 6 次错误密码,但似乎没有任何效果。帐户没有被锁定,运行 faillock 现在没有任何输出。
我在 pam.d 配置文件中看到了一些关于 pam-auth-update 的提及。凭直觉,我继续运行它,以防万一它是在更新 pam.d 配置文件中的内容时应该运行的东西。但它似乎没有做任何有用的事情。
你知道我遗漏了什么吗?提前致谢。
- - 更新
我接触了名为 the_dude 的用户的一个文件,并将它的权限设置为该用户的 rw。
$ ls -l /var/run/faillock/the_dude
当我运行 sudo faillock --user the_dude 时,它现在输出基本标题。
$ sudo faillock --user the_dude
the_dude:
When Type Source Valid
不过我注意到,当我创建一些错误的登录尝试时,没有任何内容被放入统计文件中。
另外,我重新启动了虚拟机,发现某些进程已经运行并删除了统计文件和目录。
因此,我相信我遗漏了某个“启用”此模块的步骤 - 但我在手册页中没有看到任何内容表明需要这样做。
如果它不喜欢我的配置中的某些内容,它会在哪里转储有关它的日志消息?
答案1
我还没有在 Ubuntu 20.04 上测试过,但下面的操作似乎在 Ubuntu 22.04 上有效。PAM 计数已在 22.04 中删除。
确保在进行这些更改时打开了 root shell,并与另一个用户一起测试,以便在破坏身份验证时仍然可以撤消更改。
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=ignore] pam_unix.so nullok
# here's the fallback if no module succeeds
# BEGIN ANSIBLE MANAGED BLOCK
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
# END ANSIBLE MANAGED BLOCK
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
account required pam_faillock.so