I am having trouble with a configuration line in common-account-pc and common-auth-pc that denies also root access:
account required pam_tally2.so deny=10 onerr=fail unlock_time=600 even_deny_root root_unlock_time=5 file=/home/log/faillog
It seems that this line causes some problem when trying to access multiple times the SUT and i assume that it things that it is an attack via ssh.
But it is actually a test tool that tries to send several times commands via ssh root@ to the SUT (100.100.100.100) from server (10.10.10.13).
Apr 25 05:51:56 SUT sshd[31570]: pam_tally2(sshd:auth): user root (0) tally 83, deny 10
Apr 25 05:52:16 SUT sshd[31598]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.13 user=root
Apr 25 05:52:21 SUT sshd[31568]: error: PAM: Authentication failure for root from 10.10.10.13
Apr 25 05:52:21 SUT sshd[31568]: Connection closed by 10.10.10.13 [preauth]
Since the password is always correct, but still after some time it starts to through exception (pexpect) Account locked.
version: 2.3 ($Revision: 399 $)
command: /usr/bin/ssh
args: ['/usr/bin/ssh', 'root@100.100.100.100']
searcher: searcher_re:
0: re.compile(".*:~ #")
buffer (last 100 chars): :
Account locked due to 757 failed logins
Password:
before (last 100 chars): :
Account locked due to 757 failed logins
Password:
after: <class 'pexpect.TIMEOUT'>
...
But according to passwd root is not LK labeled:
SUT:~ # passwd -S root
root P 04/24/2017 -1 -1 -1 -1
Manually it is always possible to access the SUT via ssh root@!!!
So, for the moment the only that can cause this is the pam configuration. But how do i restart or activate the changes?
Does someone else have any other idea?
Thanks in adv.
Best Answer
There is no PAM daemon. You do not need to reload anything for the changes to take effect.