お知らせ

  • 利用規約を守って投稿してください。また、よくある質問および投稿の手引きも参照してください。
  • メッセージの投稿にはアカウントが必要です。未登録の方は、ユーザ登録ページからアカウントを作成することができます。

#1 2023-09-22 18:08:11

rs12
新しいメンバ
登録日: 2023-09-22

pam設定に関する問い合わせ・TLS無効化に関する問い合わせ

■1件目:pam設定に関する問い合わせ
以下の要件を満たすため、pamの設定を試行しております。
・3回ログイン失敗でアカウントロック
・無期限でアカウントロック
suにてパスワード誤り3回でアカウントロックができることを確認しましたが、
鍵認証で誤った鍵にて認証失敗した場合は回数のカウントがされませんでした。
鍵認証でも失敗時にアカウントロックをかける方法をご教示ください。

以下、当環境における設定内容となります。※★行を追加
□/etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
★auth required pam_faillock.so preauth silent audit deny=3 unlock_time=0
auth [success=1 default=ignore] pam_unix.so nullok
★auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=0
★auth sufficient pam_faillock.so authsucc audit deny=3 unlock_time=0
#auth requisite pam_succeed_if.so uid quiet_success
#auth required pam_faillock.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
authrequiredpam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
□/etc/pam.d/common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
★account required pam_faillock.so


■2件目:TLS無効化に関する問い合わせ
UbuntuサーバにてOS全体としてTLS1.0と1.1の通信を無効化することは可能でしょうか。
可能である場合、手順をご教示ください。

オフライン

 

Board footer

Powered by FluxBB