Logins, Pam and sorting it out..

A colleague reported a problem with a server.. when he tried to ssh as the user Oracle to one server it constantly failed with :-

oracle@ed2qcomp05's password:
Permission denied, please try again.

He could su to oracle as root, he could ssh as oracle from another server with user equivalency, so was confident that the home directory was intact.

When we looked in the /var/log/secure we saw the following message:

Nov  7 12:23:20 ed2qcomp05 sshd[27305]: pam_tally2(sshd:auth): user oracle (1000) tally 49, deny 5
Nov  7 12:23:21 ed2qcomp05 sshd[27305]: Failed password for oracle from 10.130.3.216 port 39519 ssh2

In /etc/pam.d/sshd it was configured to deny access after 5 attempts

auth       required     pam_tally2.so deny=5 onerr=fail

So, it looked like pam had locked out the oracle user due to multiple failed login attempts. At this point on a production system you should start to investigate who has been trying to access your system, however,we knew what had caused the problem.

First check  how many failed logins pam had counted for that user.

[root@ed2qcomp05 pam.d]# pam_tally2 --user oracle
Login           Failures Latest failure     From
oracle             49    11/07/11 12:23:20  c1718-3-216-mgt.ssclabs.net

Then you reset the ‘tally’ for oracle

[root@ed2qcomp05 pam.d]# pam_tally2 --user oracle --reset
Login           Failures Latest failure     From
oracle             49    11/07/11 12:23:20  c1718-3-216-mgt.ssclabs.net

Verify that it has been reset

[root@ed2qcomp05 pam.d]# pam_tally2 --user oracle
Login           Failures Latest failure     From
oracle              0

And now the Oracle user can log in to the system

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s