- Create the user account using the useradd command.
- Set the password using the passwd command.
- Lock the user account using the usermod -L command.
- Force the expiration using the chage -d 0 command.
- Unlock the user account using the usermod -U command.
Example output from the above commands for the user dan is shown below:
# useradd dan
# passwd dan
Changing password for user dan.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# usermod -L dan
# chage -d 0 dan
# usermod -U dan
When the user
dan logs onto the system the first time, the user is prompted to change their password:
$ su dan
Password:
You are required to change your password immediately (root enforced)
Changing password for dan
(current) UNIX password:
New password:
Retype new password:
Issue:
How do I unlock a user account and see failed logins with the faillog command?
Resolution:
To unlock the account, execute the following command:
# faillog -u <username> -r
To see all failed login attempts after being enabled issue the command:
# faillog
http://kbase.redhat.com/faq/FAQ_44_9722.shtm
Issue:
How do I lock out a user after a set number of login attempts in Red Hat Enterprise Linux 3 and 4?
Resolution:
The PAM (Pluggable Authentication Module) module
pam_tally
keeps track of unsuccessful login attempts then disables user accounts
when a preset limit is reached. This is often referred to as account
lockout.
To lock out a user after 4 attempts, two entries need to be added in the /etc/pam.d/system-auth file:
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
The options used above are described below:
-
onerr=fail
If something strange happens, such as unable to open the file, this determines how the module should react.
-
no_magic_root
This is used to indicate that if the module is invoked by a user with
uid=0, then the counter is incremented. The sys-admin should use this
for daemon-launched services, like telnet/rsh/login.
-
deny=3
The deny=3 option is used to deny access if tally for this user exceeds 4. Note:The count starts from 0.
-
reset
The reset option instructs the module to reset count to 0 on successful entry.
See below for a complete example of implementing this type of policy:
auth required /lib/security/$ISA/pam_env.so
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
password requisite /lib/security/$ISA/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/$ISA/pam_deny.so
session required /lib/security/$ISA/$ISA/pam_limits.so
session required /lib/security/$ISA/$ISA/pam_unix.so
For more detailed information on the PAM system please see the documentation contained under /usr/share/doc/pam-<version>
For information on how to unlock a user that has expired their deny
tally see additional Knowledgebase articles regarding unlocking a user
account and seeing failed logins with the faillog command.
