One other thing - as far as we could tell pam_tally only locked a user out of a single machine (/var/log/faillog would appear to be kept on each individual machine) - it does not appear to be able to lock a network account - get locked out of one machine and the user could move on to the next machine. Does anyone know of any LDAP-based(PAM/LDAP combo?)/enterprise solutions for this? Thanks much, Eric -----Original Message----- From: Baenen Eric P Contr AFRL/HEC Sent: Wednesday, October 05, 2005 9:20 AM To: 'suse-security@suse.com' Subject: RE: [suse-security] account lockout after x incorrect attempts??? Thank you, We had looked at pam_tally just a bit - but our searches didn't find much in the way of positive experience with it. Has anyone actually implemented this with positive results? Thanks, Eric -----Original Message----- From: Marcus Meissner [mailto:meissner@suse.de] Sent: Wednesday, October 05, 2005 9:08 AM To: Baenen Eric P Contr AFRL/HEC Cc: 'suse-security@suse.com' Subject: Re: [suse-security] account lockout after x incorrect attempts??? On Wed, Oct 05, 2005 at 08:34:06AM -0400, Baenen Eric P Contr AFRL/HEC wrote:
Hello,
We have a number of SUSE 9.x workstations - and recently we've been mandated to have them adhere to a corporate IT security policy that requires account lockout after a certain number of incorrect login attempts.
Has anyone ever worked with a solution for this for SUSE 9.x? a pam module perhaps? an LDAP based solution? At this point we're looking for any solution - commercial or open source.
You want pam_tally: /usr/share/doc/packages/pam/modules/README.pam_tally Ciao, Marcus