RHEL4ã‹ã‚‰REHL5ã«ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚¢ãƒƒãƒ—を考ãˆã¦ã„ã‚‹ã®ã§è¨å®šã‚’確èªã—ã¦ã„ã¾ã™ã€‚
ãƒã‚°ã‚¤ãƒ³ã«ä¸‰å›žå¤±æ•—ã™ã‚‹ã¨ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãƒãƒƒã‚¯ã•ã‚Œã‚‹è¨å®šã§å°‘ã—æ‚©ã¿ã¾ã—ãŸã€‚ã¨ã„ã†ã®ã¯ã€RHEL4ã®pamモジュールã¨RHEL5ã®ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã§ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒç•°ãªã‚Šã€ä½¿ã„æ–¹ãŒå¤‰æ›´ã•ã‚Œã¦ã„ã‚‹ã®ã§ã™ã€‚
ãƒã‚°ã‚¤ãƒ³ã®å¤±æ•—回数を数ãˆã‚‹ã«ã¯pam_tally.soモジュールを使用ã—ã¾ã™ã€‚
RHEL4ã§ã¯å¤±æ•—ã®è¨±å®¹å›žæ•°ã‚’指定ã™ã‚‹"deny="オプションをaccountã§æŒ‡å®šã—ã¦ã„ãŸã®ã§ã™ãŒã€RHEL5ã«ãªã£ã¦ã‹ã‚‰ã¯authã§æŒ‡å®šã™ã‚‹ã‚ˆã†ã«å¤‰æ›´ã«ãªã£ã¦ã„ã¾ã™ï¼ˆ"deny="ã ã‘ã§ãªãã€ã»ã¨ã‚“ã©ãŒauthã«ç§»å‹•ã•ã‚Œã¦ã„ã¾ã™ï¼‰ã€‚
ã¾ãŸã€ä»Šã¾ã§ã‚ã¾ã‚Šæ°—ã«ã—ãªã‹ã£ãŸå„è¡Œã®é †ç•ªã§ã‚‚動作ãŒå¤‰ã‚ã‚‹ã®ã§ã™ï¼ˆã“ã“ã¯å‹‰å¼·ã—ãªã„ã¨ã„ã‘ãªã„ã§ã™ã。モジュール間ã§å€¤ã‚’ã‚„ã‚Šã¨ã‚Šã—ã¦ã„ã‚‹ã®ã§ã—ょã†ï¼‰ã€‚
何気ãªãpam_tally.soã®è¡Œã‚’authã®æœ€å¾Œã«ä»˜ã‘åŠ ãˆã¦ã„ãŸã®ã§ã™ãŒã€ã“ã“ã§ã¯ä½•åº¦ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã—よã†ã¨ã‚‚ã€æ£ã—ã„パスワードを入力ã™ã‚Œã°ãƒã‚°ã‚¤ãƒ³ã§ãã¦ã—ã¾ã„ã¾ã™(失敗カウントã¯å¢—ãˆã¦ã„ãã¾ã™)。
æ£ã—ãã¯pam_unix.soã®å‰ã«è¨˜è¿°ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
"
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
"
RHEL5ã§ç¢ºèª
ã¡ãªã¿ã«RHEL3/4ã§ã®è¨å®šã§ã¯ä¸‹è¨˜ã®é€šã‚Šã«ãªã‚Šã¾ã™ã€‚"deby="オプションã®è¡Œã¯pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ãªãã¦ã‚‚有効ã«ãªã‚Šã¾ã™ï¼ˆã“ã£ã¡ã§ã¯accountã§è¨å®šï¼‰ã€‚
ã¨ã¯ã„ãˆã€RHEL5ã§ã¯pam_unix.soã®å‰ã§ã—ã‹æœ‰åŠ¹ã«ãªã‚‰ãªã‹ã£ãŸã—ã€Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã§ç¤ºã•ã‚Œã¦ã„る例ã§ã‚‚pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ã‚‹ã®ã§ãã®ã‚ˆã†ã«è¨å®šã—ã¦ã„ã¾ã™ã€‚
RHEL3(LDAPãŒå…¥ã£ã¦ã„ã‚‹ã®ã§ã¡ã‚‡ã£ã¨ç•°ãªã‚‹)
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_tally.so deny=2 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
"
RHEL4
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= difok=3 minlen=8 dcredit=-1 lcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
"
RHEL3/4/5ã§ç¢ºèª
P.S.
複数スペースãŒå…¥ã‚‹å ´åˆã®æ›¸ãæ–¹ãŒé›£ã—ã„ã§ã™ã€‚スペースãŒè¤‡æ•°å€‹ã‚ã‚‹ã¨NucleusãŒè‡ªå‹•çš„ã«ä¸€ã¤ã«é›†ç´„ã—ã¦ãã‚Œã¦ã—ã¾ã„ã¾ã™ãƒ»ãƒ»ãƒ»
ãƒã‚°ã‚¤ãƒ³ã«ä¸‰å›žå¤±æ•—ã™ã‚‹ã¨ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãƒãƒƒã‚¯ã•ã‚Œã‚‹è¨å®šã§å°‘ã—æ‚©ã¿ã¾ã—ãŸã€‚ã¨ã„ã†ã®ã¯ã€RHEL4ã®pamモジュールã¨RHEL5ã®ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã§ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒç•°ãªã‚Šã€ä½¿ã„æ–¹ãŒå¤‰æ›´ã•ã‚Œã¦ã„ã‚‹ã®ã§ã™ã€‚
ãƒã‚°ã‚¤ãƒ³ã®å¤±æ•—回数を数ãˆã‚‹ã«ã¯pam_tally.soモジュールを使用ã—ã¾ã™ã€‚
RHEL4ã§ã¯å¤±æ•—ã®è¨±å®¹å›žæ•°ã‚’指定ã™ã‚‹"deny="オプションをaccountã§æŒ‡å®šã—ã¦ã„ãŸã®ã§ã™ãŒã€RHEL5ã«ãªã£ã¦ã‹ã‚‰ã¯authã§æŒ‡å®šã™ã‚‹ã‚ˆã†ã«å¤‰æ›´ã«ãªã£ã¦ã„ã¾ã™ï¼ˆ"deny="ã ã‘ã§ãªãã€ã»ã¨ã‚“ã©ãŒauthã«ç§»å‹•ã•ã‚Œã¦ã„ã¾ã™ï¼‰ã€‚
ã¾ãŸã€ä»Šã¾ã§ã‚ã¾ã‚Šæ°—ã«ã—ãªã‹ã£ãŸå„è¡Œã®é †ç•ªã§ã‚‚動作ãŒå¤‰ã‚ã‚‹ã®ã§ã™ï¼ˆã“ã“ã¯å‹‰å¼·ã—ãªã„ã¨ã„ã‘ãªã„ã§ã™ã。モジュール間ã§å€¤ã‚’ã‚„ã‚Šã¨ã‚Šã—ã¦ã„ã‚‹ã®ã§ã—ょã†ï¼‰ã€‚
何気ãªãpam_tally.soã®è¡Œã‚’authã®æœ€å¾Œã«ä»˜ã‘åŠ ãˆã¦ã„ãŸã®ã§ã™ãŒã€ã“ã“ã§ã¯ä½•åº¦ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã—よã†ã¨ã‚‚ã€æ£ã—ã„パスワードを入力ã™ã‚Œã°ãƒã‚°ã‚¤ãƒ³ã§ãã¦ã—ã¾ã„ã¾ã™(失敗カウントã¯å¢—ãˆã¦ã„ãã¾ã™)。
æ£ã—ãã¯pam_unix.soã®å‰ã«è¨˜è¿°ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
"
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally.so onerr=fail deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
"
RHEL5ã§ç¢ºèª
ã¡ãªã¿ã«RHEL3/4ã§ã®è¨å®šã§ã¯ä¸‹è¨˜ã®é€šã‚Šã«ãªã‚Šã¾ã™ã€‚"deby="オプションã®è¡Œã¯pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ãªãã¦ã‚‚有効ã«ãªã‚Šã¾ã™ï¼ˆã“ã£ã¡ã§ã¯accountã§è¨å®šï¼‰ã€‚
ã¨ã¯ã„ãˆã€RHEL5ã§ã¯pam_unix.soã®å‰ã§ã—ã‹æœ‰åŠ¹ã«ãªã‚‰ãªã‹ã£ãŸã—ã€Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã§ç¤ºã•ã‚Œã¦ã„る例ã§ã‚‚pam_unix.soã®å‰ã«è¨˜è¿°ã•ã‚Œã¦ã„ã‚‹ã®ã§ãã®ã‚ˆã†ã«è¨å®šã—ã¦ã„ã¾ã™ã€‚
RHEL3(LDAPãŒå…¥ã£ã¦ã„ã‚‹ã®ã§ã¡ã‚‡ã£ã¨ç•°ãªã‚‹)
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_tally.so deny=2 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
"
RHEL4
"
]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= difok=3 minlen=8 dcredit=-1 lcredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
"
RHEL3/4/5ã§ç¢ºèª
P.S.
複数スペースãŒå…¥ã‚‹å ´åˆã®æ›¸ãæ–¹ãŒé›£ã—ã„ã§ã™ã€‚スペースãŒè¤‡æ•°å€‹ã‚ã‚‹ã¨NucleusãŒè‡ªå‹•çš„ã«ä¸€ã¤ã«é›†ç´„ã—ã¦ãã‚Œã¦ã—ã¾ã„ã¾ã™ãƒ»ãƒ»ãƒ»
XDMCP接続ã§Linuxサーãƒãƒ¼ã«æŽ¥ç¶šã—ã¦ã‚‹ã®ã§ã™ãŒã€ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒå®Ÿè¡Œã•ã‚ŒãŸå¾Œã€ãƒ‘スワード解除ãŒå‡ºæ¥ãªã„ã¨ã„ã†å•é¡ŒãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Šã¾ã—ãŸã€‚
パスワードを入力ã—ã¾ã™ã€‚
èªè¨¼ã«å¤±æ•—ã—ã€ãƒ‘スワード入力欄ã«"Sorry!"ã¨è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚
デフォルトã§ã®è¨å®šã¯ã€ã‚¢ã‚¤ãƒ‰ãƒ«æ™‚é–“ãŒ10分ã‚ã‚‹ã¨ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã€è§£é™¤ã™ã‚‹ã«ã¯ãƒ‘スワードを入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
スクリーンセーãƒãƒ¼ã®è¨å®šã«ã¤ã„ã¦ã¯/usr/X11R6/lib/X11/app-defaultsã«ã‚ã‚‹XScreenSaverã«è¨˜è¿°ã•ã‚Œã¦ã„ã¾ã™ã€‚
スクリーンセーãƒãƒ¼èµ·å‹•æ™‚é–“ã¯
*timeout:00:10:00
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‹è¨å®šã«ã¤ã„ã¦ã¯
*lock:True
ã“ã®ç¾è±¡ãŒç™ºç”Ÿã—ãŸã¨ãã€
messagesã«ã¯
Oct 13 11:23:31 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname xscreensaver(pam_unix)[30076]: authentication failure; logname= uid=500 euid=500 tty=:0.0 ruser= rhost= user=root
Oct 13 11:23:33 hostname xscreensaver[30076]: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=test-domain,dc=com" (Invalid credentials)
secureã«ã¯
Oct 13 11:23:35 hostname xscreensaver[30076]: FAILED LOGIN 2 ON DISPLAY "123.456.789.123:0.0", FOR "adminuser"
ã¨æ›¸ã‹ã‚Œã¾ã™ã®ã§/var/log/faillog(ãƒã‚°ã‚¤ãƒ³å¤±æ•—回数を記録ã™ã‚‹ãƒ•ã‚¡ã‚¤ãƒ«)ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã¾ã™ã€‚
secureã®"FAILED LOGIN 2 ON"ã®ã‚«ã‚¦ãƒ³ãƒˆã¯å¤±æ•—ã™ã‚‹ã”ã¨ã«å¢—ãˆã¦ã„ãã¾ã™ãŒã€pam_tallyã®ã‚«ã‚¦ãƒ³ãƒˆã¨ã¯é•ã†ã‚ˆã†ã§ã™ã€‚
ã„ã‚ã„ã‚調ã¹ã¦ã¿ã‚‹ã¨system-authã®authã«æ›¸ã„ã¦ã„ã‚‹pam_tally.soã®ä¸ã§ã€"onerr=fail"を消ã™ã¨å‹•ãã¨ã„ã†ã®ã§è©¦ã—ã¦ã¿ã‚‹ã¨ãƒ‘スワード解除ãŒå‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã®"onerr=fail"ã¯ãƒ‘スワードファイルç‰ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ãŸå ´åˆã«ã¯èªè¨¼å¤±æ•—ã¨ã™ã‚‹æ„味ã§ã™ã®ã§ã€ä»Šå›žã®äº‹è±¡ã§ã¯ã¾ã•ã«ãƒ‰ãƒ³ã´ã—ゃりï¼
ãŸã ã€ã“れをã¯ãšã—ã¦ãŠãã¨é€šå¸¸ã®ãƒã‚°ã‚¤ãƒ³æ™‚ã«èªè¨¼ãŒå¼±ããªã£ã¦ã—ã¾ã„ãã†ãªã®ã§ã¤ã‘ã¦ãŠããŸã„オプション。
今回ã¯å¯¾å‡¦ç™‚法的ã«ã€ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã®è¨å®šã§ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‰ãªã„よã†ã«ã—ã¾ã™ã€‚å‰è¿°ãƒ•ã‚¡ã‚¤ãƒ«ã®*lockã‚’Falseã«ã™ã‚Œã°ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã¦ã‚‚ãƒãƒƒã‚¯ã¯ã•ã‚Œãªããªã‚Šã¾ã™ã€‚
ã¾ãŸã€Linuxå´ã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒã‹ã‹ã‚‰ãªã„よã†ã«*timeoutã®æ™‚é–“ã‚‚24:00:00ã«ã™ã‚‹ã“ã¨ã«ã—ã¾ã—ãŸã€‚Linuxå´ã§ã¯ãªãã€XDMCPã§æŽ¥ç¶šã—ã¦ã„ã‚‹å…ƒã®Windowsã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã¨ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Œã°è‰¯ã„ã¨ã„ã†è©±ã§ã¾ã¨ã¾ã‚Šã¾ã—ãŸã®ã§ã€‚
今回æ€ã„切ã£ã¦ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã‚’アンインストールã—よã†ã¨ã‚‚考ãˆãŸã®ã§ã™ãŒã€ä¾å˜é–¢ä¿‚ãŒå¤šãã¦ã¡ã‚‡ã£ã¨æ€–ã„ã®ã§ã‚„ã‚ã¾ã—ãŸã€‚本番システムã ã—。
ã¡ãªã¿ã«ã€ä»Šå›žã®äº‹è±¡ã«ã¤ã„ã¦ã¯ä¸‹è¨˜ã«è¨˜è¼‰ãŒã‚ã‚Šã¾ã—ãŸã€‚
Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã®NOTEã§ã™ã€‚以下引用
Since the /var/log/faillog is owned by root and only root can write to the /var/log/faillog file, xscreensaver and vlock won't work correctly. Each time xscreensaver or vlock is executed as a non-root user, you won't be able to do an unlock since these programs can't write to /var/log/faillog. I don't have a good solution for that. I can only think of setting the SUID bits on these programs.
訳:
/var/log/faillogã¯root所有ã§rootã®ã¿ãŒæ›¸ãè¾¼ã¿å¯èƒ½ãªãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã®ã§ã€xscreensaverã‚‚ã—ãã¯vlockã¯æ£å¸¸ã«å‹•ä½œã—ã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockãŒnon-rootユーザーã§å®Ÿè¡Œã•ã‚ŒãŸå ´åˆã€ãƒãƒƒã‚¯è§£é™¤ã‚’ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã›ã‚“。ã“れらã®ãƒ—ãƒã‚°ãƒ©ãƒ ãŒ/var/log/faillogを変更ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ãªã„為ã§ã™ã€‚ã“ã‚Œã«ã¤ã„ã¦è§£æ±ºç–ã¯ã‚ã‚Šã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockã«SUIDビットをè¨å®šã™ã‚Œã°è‰¯ã„ã®ã§ã¯ãªã„ã‹ã¨è€ƒãˆã¦ã„ã¾ã™ã€‚
今回ã®äº‹è±¡ã¯RHEL3/4ã§ç™ºç”Ÿã—ã¾ã™ã€‚
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Šã¾ã—ãŸã€‚
パスワードを入力ã—ã¾ã™ã€‚
èªè¨¼ã«å¤±æ•—ã—ã€ãƒ‘スワード入力欄ã«"Sorry!"ã¨è¡¨ç¤ºã•ã‚Œã¾ã™ã€‚
デフォルトã§ã®è¨å®šã¯ã€ã‚¢ã‚¤ãƒ‰ãƒ«æ™‚é–“ãŒ10分ã‚ã‚‹ã¨ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã€è§£é™¤ã™ã‚‹ã«ã¯ãƒ‘スワードを入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
スクリーンセーãƒãƒ¼ã®è¨å®šã«ã¤ã„ã¦ã¯/usr/X11R6/lib/X11/app-defaultsã«ã‚ã‚‹XScreenSaverã«è¨˜è¿°ã•ã‚Œã¦ã„ã¾ã™ã€‚
スクリーンセーãƒãƒ¼èµ·å‹•æ™‚é–“ã¯
*timeout:00:10:00
パスワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‹è¨å®šã«ã¤ã„ã¦ã¯
*lock:True
ã“ã®ç¾è±¡ãŒç™ºç”Ÿã—ãŸã¨ãã€
messagesã«ã¯
Oct 13 11:23:31 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname pam_tally[30076]: Error opening /var/log/faillog for update
Oct 13 11:23:33 hostname xscreensaver(pam_unix)[30076]: authentication failure; logname= uid=500 euid=500 tty=:0.0 ruser= rhost= user=root
Oct 13 11:23:33 hostname xscreensaver[30076]: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=test-domain,dc=com" (Invalid credentials)
secureã«ã¯
Oct 13 11:23:35 hostname xscreensaver[30076]: FAILED LOGIN 2 ON DISPLAY "123.456.789.123:0.0", FOR "adminuser"
ã¨æ›¸ã‹ã‚Œã¾ã™ã®ã§/var/log/faillog(ãƒã‚°ã‚¤ãƒ³å¤±æ•—回数を記録ã™ã‚‹ãƒ•ã‚¡ã‚¤ãƒ«)ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã¾ã™ã€‚
secureã®"FAILED LOGIN 2 ON"ã®ã‚«ã‚¦ãƒ³ãƒˆã¯å¤±æ•—ã™ã‚‹ã”ã¨ã«å¢—ãˆã¦ã„ãã¾ã™ãŒã€pam_tallyã®ã‚«ã‚¦ãƒ³ãƒˆã¨ã¯é•ã†ã‚ˆã†ã§ã™ã€‚
ã„ã‚ã„ã‚調ã¹ã¦ã¿ã‚‹ã¨system-authã®authã«æ›¸ã„ã¦ã„ã‚‹pam_tally.soã®ä¸ã§ã€"onerr=fail"を消ã™ã¨å‹•ãã¨ã„ã†ã®ã§è©¦ã—ã¦ã¿ã‚‹ã¨ãƒ‘スワード解除ãŒå‡ºæ¥ã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
ã“ã®"onerr=fail"ã¯ãƒ‘スワードファイルç‰ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã«å¤±æ•—ã—ãŸå ´åˆã«ã¯èªè¨¼å¤±æ•—ã¨ã™ã‚‹æ„味ã§ã™ã®ã§ã€ä»Šå›žã®äº‹è±¡ã§ã¯ã¾ã•ã«ãƒ‰ãƒ³ã´ã—ゃりï¼
ãŸã ã€ã“れをã¯ãšã—ã¦ãŠãã¨é€šå¸¸ã®ãƒã‚°ã‚¤ãƒ³æ™‚ã«èªè¨¼ãŒå¼±ããªã£ã¦ã—ã¾ã„ãã†ãªã®ã§ã¤ã‘ã¦ãŠããŸã„オプション。
今回ã¯å¯¾å‡¦ç™‚法的ã«ã€ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã®è¨å®šã§ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚‰ãªã„よã†ã«ã—ã¾ã™ã€‚å‰è¿°ãƒ•ã‚¡ã‚¤ãƒ«ã®*lockã‚’Falseã«ã™ã‚Œã°ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒèµ·å‹•ã—ã¦ã‚‚ãƒãƒƒã‚¯ã¯ã•ã‚Œãªããªã‚Šã¾ã™ã€‚
ã¾ãŸã€Linuxå´ã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ãŒã‹ã‹ã‚‰ãªã„よã†ã«*timeoutã®æ™‚é–“ã‚‚24:00:00ã«ã™ã‚‹ã“ã¨ã«ã—ã¾ã—ãŸã€‚Linuxå´ã§ã¯ãªãã€XDMCPã§æŽ¥ç¶šã—ã¦ã„ã‚‹å…ƒã®Windowsã§ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã¨ãƒ‘スワードãƒãƒƒã‚¯ãŒã‹ã‹ã‚Œã°è‰¯ã„ã¨ã„ã†è©±ã§ã¾ã¨ã¾ã‚Šã¾ã—ãŸã®ã§ã€‚
今回æ€ã„切ã£ã¦ã‚¹ã‚¯ãƒªãƒ¼ãƒ³ã‚»ãƒ¼ãƒãƒ¼ã‚’アンインストールã—よã†ã¨ã‚‚考ãˆãŸã®ã§ã™ãŒã€ä¾å˜é–¢ä¿‚ãŒå¤šãã¦ã¡ã‚‡ã£ã¨æ€–ã„ã®ã§ã‚„ã‚ã¾ã—ãŸã€‚本番システムã ã—。
ã¡ãªã¿ã«ã€ä»Šå›žã®äº‹è±¡ã«ã¤ã„ã¦ã¯ä¸‹è¨˜ã«è¨˜è¼‰ãŒã‚ã‚Šã¾ã—ãŸã€‚
Securing and Hardening Red Hat Linux Production Systemsã¨ã„ã†ãƒ‰ã‚ュメント内ã®Locking User Accounts After Too Many Login Failuresセクションã®NOTEã§ã™ã€‚以下引用
Since the /var/log/faillog is owned by root and only root can write to the /var/log/faillog file, xscreensaver and vlock won't work correctly. Each time xscreensaver or vlock is executed as a non-root user, you won't be able to do an unlock since these programs can't write to /var/log/faillog. I don't have a good solution for that. I can only think of setting the SUID bits on these programs.
訳:
/var/log/faillogã¯root所有ã§rootã®ã¿ãŒæ›¸ãè¾¼ã¿å¯èƒ½ãªãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã®ã§ã€xscreensaverã‚‚ã—ãã¯vlockã¯æ£å¸¸ã«å‹•ä½œã—ã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockãŒnon-rootユーザーã§å®Ÿè¡Œã•ã‚ŒãŸå ´åˆã€ãƒãƒƒã‚¯è§£é™¤ã‚’ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã›ã‚“。ã“れらã®ãƒ—ãƒã‚°ãƒ©ãƒ ãŒ/var/log/faillogを変更ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ãªã„為ã§ã™ã€‚ã“ã‚Œã«ã¤ã„ã¦è§£æ±ºç–ã¯ã‚ã‚Šã¾ã›ã‚“。xscreensaverã‚‚ã—ãã¯vlockã«SUIDビットをè¨å®šã™ã‚Œã°è‰¯ã„ã®ã§ã¯ãªã„ã‹ã¨è€ƒãˆã¦ã„ã¾ã™ã€‚
今回ã®äº‹è±¡ã¯RHEL3/4ã§ç™ºç”Ÿã—ã¾ã™ã€‚
先日ã€pam_tally.soã®è¨˜è¿°ãŒäºŒãƒ•ã‚¡ã‚¤ãƒ«(loginã¨system-auth)ã«æ›¸ã‹ã‚Œã¦ã„ã‚‹ã“ã¨ã§ã€ãƒã‚°ã‚¤ãƒ³å¤±æ•—ã«ã¤ã„ã¦åŽ³ã—ã‹ã£ãŸã“ã¨ãŒç™ºè¦šã—ãŸã€‚
本番サーãƒãƒ¼ã§ã¯system-authã«è¨˜è¿°ã—ã¦ã„ã‚‹ã“ã¨ã‚‚ã‚ã‚Šã€é–‹ç™ºã®å„サーãƒãƒ¼ã§ã‚‚ãƒã‚°ã‚¤ãƒ³å¤±æ•—ã®ã‚«ã‚¦ãƒ³ãƒˆã¯loginファイルã§ã¯ãªãã€system-authファイルã«è¨˜è¿°ã™ã‚‹ã“ã¨ã«æ±ºã‚ãŸã€‚
作æ¥ã¯åˆ¥ã«ä½•ã‚’ã™ã‚‹ã‚ã‘ã§ã‚‚ãªãã€ãŸã ã€loginファイルã«æ›¸ã‹ã‚Œã¦ã„ã‚‹
"
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset
"
ã‚’system-authã«æ›¸ã写ã™ã ã‘。
作æ¥çµ‚了後ã€å¿µã®ãŸã‚動作確èªã‚’ã—ã¦ã¿ãŸã€‚telnetã§æŽ¥ç¶šã—ã€ã‚ã–ã¨3回間é•ãˆã¦ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãŒãƒãƒƒã‚¯ã•ã‚Œã‚‹ã‹ã©ã†ã‹ã‚’確èªã™ã‚‹ã€‚
RHEL3ã¨RHEL4ã¨ã§å‹•ä½œãŒé•ã†ã“ã¨ã«æ°—ãŒã¤ã„ãŸã€‚
RHEL3ã§ã¯ã€"deny=3"ã¨è¨å®šã™ã‚‹ã¨ã€Œ3回ã®é–“é•ã„ã¾ã§ã¯è¨±ã—ã¾ã™ã€ã¨ã„ã†å‹•ãã«å¯¾ã—ã€
RHEL4ã§ã¯ã€"deny=3"ã¨è¨å®šã™ã‚‹ã¨ã€Œ3回失敗ã™ã‚‹ã¨ãƒãƒƒã‚¯ã—ã¾ã™ã€ã¨ã„ã†å‹•ãã ã£ãŸã€‚
当環境ã®è©³ç´°ãªãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯ä¸‹è¨˜ã®é€šã‚Š
RHEL3(2.4.21-20)
pam(0.75)
RHEL4(2.6.9-43)
pam(0.77)
ã§ã‚‚ã€"/usr/share/doc/pam-<version>/txts/README.pam_tally"ã«é•ã„ã¯ãªã„ã‚“ã よãªã・・・
本番サーãƒãƒ¼ã§ã¯system-authã«è¨˜è¿°ã—ã¦ã„ã‚‹ã“ã¨ã‚‚ã‚ã‚Šã€é–‹ç™ºã®å„サーãƒãƒ¼ã§ã‚‚ãƒã‚°ã‚¤ãƒ³å¤±æ•—ã®ã‚«ã‚¦ãƒ³ãƒˆã¯loginファイルã§ã¯ãªãã€system-authファイルã«è¨˜è¿°ã™ã‚‹ã“ã¨ã«æ±ºã‚ãŸã€‚
作æ¥ã¯åˆ¥ã«ä½•ã‚’ã™ã‚‹ã‚ã‘ã§ã‚‚ãªãã€ãŸã ã€loginファイルã«æ›¸ã‹ã‚Œã¦ã„ã‚‹
"
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset
"
ã‚’system-authã«æ›¸ã写ã™ã ã‘。
作æ¥çµ‚了後ã€å¿µã®ãŸã‚動作確èªã‚’ã—ã¦ã¿ãŸã€‚telnetã§æŽ¥ç¶šã—ã€ã‚ã–ã¨3回間é•ãˆã¦ã‚¢ã‚«ã‚¦ãƒ³ãƒˆãŒãƒãƒƒã‚¯ã•ã‚Œã‚‹ã‹ã©ã†ã‹ã‚’確èªã™ã‚‹ã€‚
RHEL3ã¨RHEL4ã¨ã§å‹•ä½œãŒé•ã†ã“ã¨ã«æ°—ãŒã¤ã„ãŸã€‚
RHEL3ã§ã¯ã€"deny=3"ã¨è¨å®šã™ã‚‹ã¨ã€Œ3回ã®é–“é•ã„ã¾ã§ã¯è¨±ã—ã¾ã™ã€ã¨ã„ã†å‹•ãã«å¯¾ã—ã€
RHEL4ã§ã¯ã€"deny=3"ã¨è¨å®šã™ã‚‹ã¨ã€Œ3回失敗ã™ã‚‹ã¨ãƒãƒƒã‚¯ã—ã¾ã™ã€ã¨ã„ã†å‹•ãã ã£ãŸã€‚
当環境ã®è©³ç´°ãªãƒãƒ¼ã‚¸ãƒ§ãƒ³ã¯ä¸‹è¨˜ã®é€šã‚Š
RHEL3(2.4.21-20)
pam(0.75)
RHEL4(2.6.9-43)
pam(0.77)
ã§ã‚‚ã€"/usr/share/doc/pam-<version>/txts/README.pam_tally"ã«é•ã„ã¯ãªã„ã‚“ã よãªã・・・
今æœã€éš£ã«åº§ã£ã¦ã„る開発リーダーã‹ã‚‰è³ªå•ãŒã‚ã£ãŸã€‚
「ãã‡ãã‡ã€ã“ã®é–‹ç™ºã‚µãƒ¼ãƒãƒ¼ã ã‘ã€ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã™ã‚‹ã¨faillogã«2カウントã•ã‚Œã‚‹ã‚“ã ã‘ã©ã€
「?ん?ã©ã†ã„ã†äº‹ï¼Ÿã€ã¨å®Ÿæ¼”を見ã¦ã¿ãŸã€‚
"pam_tally.so"ã‚’è¨å®šã—ã¦ã„ã‚‹ã¨"/var/log/faillog"ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒä½œæˆã•ã‚Œã€ãƒã‚°ã‚¤ãƒ³æƒ…å ±ãŒè¨˜éŒ²ã•ã‚Œã‚‹ã€‚
通常ã€ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã™ã‚‹ã¨ã€å¤±æ•—カウントãŒ1ãšã¤å¢—ãˆã¦ã„ã。ãã—ã¦ã€è¨å®šã—ãŸé™ç•Œå€¤ã«é”ã™ã‚‹ã¨ãã®å¾Œã®ãƒã‚°ã‚¤ãƒ³ãŒå‡ºæ¥ãªããªã‚‹ã‚ã‘ã§ã™ã€‚
å•é¡Œã®ã‚µãƒ¼ãƒãƒ¼ã§ã¯é€šå¸¸1ãšã¤å¢—ãˆã¦ã„ã失敗カウントãŒ2ãšã¤å¢—ãˆã¦ã„ãã®ã§ã™ã€‚
何ã‹è¨å®šé–“é•ã„ã‚’ã—ã¦ã—ã¾ã£ãŸã®ã‹ã¨æ€ã„ã€"/etc/pam.d"ã«ã‚ã‚‹system-authファイルをãƒã‚§ãƒƒã‚¯ã™ã‚‹ã€‚
"
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset
"
上記2エントリãŒè¿½åŠ ã•ã‚Œã¦ã„ã‚‹ã ã‘ã§ã€æ€ªã—ã„箇所ã¯è¦‹å—ã‘られãªã„。一回ã®ã‚«ã‚¦ãƒ³ãƒˆæ•°ã‚’決ã‚る箇所もãªã„ã—・・・
å°‘ã—ã‚°ã‚°ã£ã¦ã¿ã‚‹ã¨ã€system-authã«æ›¸ãæ´¾ã¨loginã«æ›¸ãæ´¾ãŒã‚ã‚‹ã“ã¨ãŒã‚ã‹ã£ãŸã®ã§ã€ã†ã¡ã®ã‚µãƒ¼ãƒãƒ¼ã®loginを見ã¦ã¿ã‚‹ã¨ãƒ»ãƒ»ãƒ»æ›¸ã„ã¦ã‚ã‚Šã¾ã—ãŸã€‚
サーãƒãƒ¼ã®è¨å®šã‚’変更ã™ã‚‹è¦ä»¶ãŒã‚ã£ã¦ã€åƒ•ã¯system-authã«è¿½åŠ ã—ã¦ã„ãŸã®ã§ã™ãŒã€å‰ä»»ç®¡ç†è€…ã¯loginã«è¿½åŠ ã—ã¦ã„ãŸã®ã§ã™ã€‚知らãªã‹ã£ãŸãƒ»ãƒ»ãƒ»
デフォルトã®loginã«ã¯pam_tally.soã®è¨˜è¿°ãªã©ç„¡ãã€è¨å®šã¯å…¨ã¦system-authã‚’å‚ç…§ã—ã¦ãã¨ã„ã†
"
pam_stack.so service=system-auth
"
ãŒå…¨ã¦ã®ã‚¨ãƒ³ãƒˆãƒªã«ã¤ã„ã¦è¨˜è¿°ã•ã‚Œã¦ã„る。
通常ã¯å…¨ã¦ã®å‹•ä½œã¯system-authを見ã¦ãã‚Œã«å¾“ã†è¨å®šã«ãªã£ã¦ã„ã¾ã™ã€‚
今回ã®äº‹è±¡ã§ã¯ã¾ãšã€loginã‚’èªã¿è¾¼ã‚“ã§faillogã«1è¿½åŠ ã—ã€æ¬¡ã«system-authã‚’èªã¿è¾¼ã‚“ã§faillogã«1è¿½åŠ ã™ã‚‹ã®ã§ã€å…¨ä½“ã¨ã—ã¦ã¯2è¿½åŠ ã•ã‚Œã‚‹ã“ã¨ã«ãªã£ã¦ã„ãŸã®ã§ã™ã€‚
loginã‹ã‚‰pam_tally.soã®ã‚¨ãƒ³ãƒˆãƒªã‚’削除ã—ã¦è§£æ±ºã§ã™ã€‚
ã‚‚ã†ä¸€ã¤ç½ ãŒä»•æŽ›ã‘られã¦ã„ã¾ã—ãŸã€‚"deny=2"ã¨è¨å®šã•ã‚Œã¦ã„ãŸã®ã§ã™ã€‚一回間é•ãˆã‚‹ã¨å¤±æ•—カウントãŒ2ã«ãªã‚Šã€é™ç•Œå€¤2ã«é”ã—ã€ãã®å¾Œã¯ãƒã‚°ã‚¤ãƒ³å‡ºæ¥ãªããªã£ã¦ã—ã¾ã„ã¾ã™ãƒ»ãƒ»ãƒ»ã‚ãã¤ã‹ã„ãšã‚‰ã„サーãƒãƒ¼ã ã£ãŸã“ã¨
「ãã‡ãã‡ã€ã“ã®é–‹ç™ºã‚µãƒ¼ãƒãƒ¼ã ã‘ã€ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã™ã‚‹ã¨faillogã«2カウントã•ã‚Œã‚‹ã‚“ã ã‘ã©ã€
「?ん?ã©ã†ã„ã†äº‹ï¼Ÿã€ã¨å®Ÿæ¼”を見ã¦ã¿ãŸã€‚
"pam_tally.so"ã‚’è¨å®šã—ã¦ã„ã‚‹ã¨"/var/log/faillog"ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒä½œæˆã•ã‚Œã€ãƒã‚°ã‚¤ãƒ³æƒ…å ±ãŒè¨˜éŒ²ã•ã‚Œã‚‹ã€‚
通常ã€ãƒã‚°ã‚¤ãƒ³ã«å¤±æ•—ã™ã‚‹ã¨ã€å¤±æ•—カウントãŒ1ãšã¤å¢—ãˆã¦ã„ã。ãã—ã¦ã€è¨å®šã—ãŸé™ç•Œå€¤ã«é”ã™ã‚‹ã¨ãã®å¾Œã®ãƒã‚°ã‚¤ãƒ³ãŒå‡ºæ¥ãªããªã‚‹ã‚ã‘ã§ã™ã€‚
å•é¡Œã®ã‚µãƒ¼ãƒãƒ¼ã§ã¯é€šå¸¸1ãšã¤å¢—ãˆã¦ã„ã失敗カウントãŒ2ãšã¤å¢—ãˆã¦ã„ãã®ã§ã™ã€‚
何ã‹è¨å®šé–“é•ã„ã‚’ã—ã¦ã—ã¾ã£ãŸã®ã‹ã¨æ€ã„ã€"/etc/pam.d"ã«ã‚ã‚‹system-authファイルをãƒã‚§ãƒƒã‚¯ã™ã‚‹ã€‚
"
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset
"
上記2エントリãŒè¿½åŠ ã•ã‚Œã¦ã„ã‚‹ã ã‘ã§ã€æ€ªã—ã„箇所ã¯è¦‹å—ã‘られãªã„。一回ã®ã‚«ã‚¦ãƒ³ãƒˆæ•°ã‚’決ã‚る箇所もãªã„ã—・・・
å°‘ã—ã‚°ã‚°ã£ã¦ã¿ã‚‹ã¨ã€system-authã«æ›¸ãæ´¾ã¨loginã«æ›¸ãæ´¾ãŒã‚ã‚‹ã“ã¨ãŒã‚ã‹ã£ãŸã®ã§ã€ã†ã¡ã®ã‚µãƒ¼ãƒãƒ¼ã®loginを見ã¦ã¿ã‚‹ã¨ãƒ»ãƒ»ãƒ»æ›¸ã„ã¦ã‚ã‚Šã¾ã—ãŸã€‚
サーãƒãƒ¼ã®è¨å®šã‚’変更ã™ã‚‹è¦ä»¶ãŒã‚ã£ã¦ã€åƒ•ã¯system-authã«è¿½åŠ ã—ã¦ã„ãŸã®ã§ã™ãŒã€å‰ä»»ç®¡ç†è€…ã¯loginã«è¿½åŠ ã—ã¦ã„ãŸã®ã§ã™ã€‚知らãªã‹ã£ãŸãƒ»ãƒ»ãƒ»
デフォルトã®loginã«ã¯pam_tally.soã®è¨˜è¿°ãªã©ç„¡ãã€è¨å®šã¯å…¨ã¦system-authã‚’å‚ç…§ã—ã¦ãã¨ã„ã†
"
pam_stack.so service=system-auth
"
ãŒå…¨ã¦ã®ã‚¨ãƒ³ãƒˆãƒªã«ã¤ã„ã¦è¨˜è¿°ã•ã‚Œã¦ã„る。
通常ã¯å…¨ã¦ã®å‹•ä½œã¯system-authを見ã¦ãã‚Œã«å¾“ã†è¨å®šã«ãªã£ã¦ã„ã¾ã™ã€‚
今回ã®äº‹è±¡ã§ã¯ã¾ãšã€loginã‚’èªã¿è¾¼ã‚“ã§faillogã«1è¿½åŠ ã—ã€æ¬¡ã«system-authã‚’èªã¿è¾¼ã‚“ã§faillogã«1è¿½åŠ ã™ã‚‹ã®ã§ã€å…¨ä½“ã¨ã—ã¦ã¯2è¿½åŠ ã•ã‚Œã‚‹ã“ã¨ã«ãªã£ã¦ã„ãŸã®ã§ã™ã€‚
loginã‹ã‚‰pam_tally.soã®ã‚¨ãƒ³ãƒˆãƒªã‚’削除ã—ã¦è§£æ±ºã§ã™ã€‚
ã‚‚ã†ä¸€ã¤ç½ ãŒä»•æŽ›ã‘られã¦ã„ã¾ã—ãŸã€‚"deny=2"ã¨è¨å®šã•ã‚Œã¦ã„ãŸã®ã§ã™ã€‚一回間é•ãˆã‚‹ã¨å¤±æ•—カウントãŒ2ã«ãªã‚Šã€é™ç•Œå€¤2ã«é”ã—ã€ãã®å¾Œã¯ãƒã‚°ã‚¤ãƒ³å‡ºæ¥ãªããªã£ã¦ã—ã¾ã„ã¾ã™ãƒ»ãƒ»ãƒ»ã‚ãã¤ã‹ã„ãšã‚‰ã„サーãƒãƒ¼ã ã£ãŸã“ã¨
