inactive option not working for

Server Fault Asked by Jakov Sosic on August 5, 2020

I’m trying to set up my system to lock out inactive users after 10 days. I’m using CentOS 6.x, and looking at RHEL manual, this is what I found:

To lock out an account after 10 days of inactivity, add, as root,
the following line to the auth section of the /etc/pam.d/login file:
auth  required inactive=10

So, this is my /etc/pam.d/login :

auth [user_unknown=ignore success=ok ignore=ignore default=bad]
auth       include      system-auth
auth       required inactive=10
account    required
account    include      system-auth
password   include      system-auth
# close should be the first session rule
session    required close
session    required
session    optional
# open should only be followed by sessions to be executed in the user context
session    required open
session    required
session    optional force revoke
session    include      system-auth
-session   optional

I log in through ssh as a user, and log out.

After that I set up the time 1 year in the future, as root logged in on TTY1:

# date --set "...."
# hwclock --systohc

I even reboot the VM, but still, when it gets back, I’m able to log in as user through ssh.

Any ideas what am I doing wrong here?

One Answer

I even reboot the VM, but still, when it gets back, I'm able to log in as user through ssh.

Apples and oranges. You're editing the login file, but you're performing tests against sshd. The sshd daemon calls the PAM library directly with a service name of sshd, thus the identically named file is used.

In the event that you were not aware that the login file maps to authentication attempts by an actual command named login (which is invoked by your getty), man login is recommended reading material.

Answered by Andrew B on August 5, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP