A client of mine was looking on how to update the maximum failed OS login attempts because they were having an issue with the monitoring solution locking the root user account on the VMware Unified Access Gateway 2212. This version of the UAG is based on photon OS 3.0.
He asked me to verify where to change the configuration to update the maximum failed OS login attempts. This is normally set at UAG deploy time and there is no option to change it afterwards easily.
Be aware that this is a rather unconventional change because these values shouldn’t be changed from the default, especially if you want to be compliant with CIS audits for example.
This is the default and also the line that you need to change
|
1 |
auth required pam_tally2.so file=/var/log/tallylog deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 |
Open system-auth located in /etc/pam.d
|
1 |
vi /etc/pam.d/system-auth |
- deny=3
Change the deny=3 to the maximum value you want. If you change it to 0 (zero) it will never deny based on the maximum failed OS login attempts for all local users
- even_deny_root
Leave it out if it shouldn’t deny the root user being locked out on the maximum failed OS login
- unlock_time=86400
Default unlock time for all users
- root_unlock_time=300
Unlock time for the root user account
Source: https://www.stigviewer.com/stig/vmware_vsphere_6.7_photon_os/2022-09-27/
