Basic Authentication Commands

Check User Settings 

• chage -l user  
• chage -d 0 (require user to chagne password at first/next login) 

User Lockout 

• sbin]# /sbin/pam_tally2 --user tomcat Login           Failures Latest failure     From tomcat              0   
• # passwd --status tomcat tomcat PS 2013-03-06 0 99999 7 -1 (Password set, MD5 crypt.) 
  • 2nd Field is PS = useable password,  NP = no password, L = locked   
  
  
• # cat /etc/passwd | cut -d : -f 1 | awk '{ system("passwd -S " $0) }'  

Setup User Lockout and Pam Tally 

• Modify /etc/pam.d/sshd and add the bold lines in this order:  
  • auth required pam_sepermit.so 
   auth required pam_tally2.so deny=3 onerr=fail << this line here 
   auth include password-auth  account required pam_nologin.so  
  account required pam_tally2.so << this line here  
  account include password-auth   
  • Then just run pam_tally2 to see failed logins, and pam_tally2 -u username -r to unlock the user account if it's locked out.   

Restrict SSH for User 

• modify /etc/ssh/sshd_config and set DenyUsers 

Restrict SSH for user From host 

• modify /etc/security/access.conf 
• add this line to /etc/pam.d/login 
  • account    required     pam_access.so