注意: 此策略只在RHEL4上可以使用,RHEL5的pam_tally.so 与RHEL4有一定的区别
修改 /etc/pam.d/sshd,修改后内容为,
#%PAM-1.0
auth required pam_stack.so service=system-auth
#新增下面这行,指明普通用户6次密码错误后,禁止登录60秒; root用户禁止登录120秒。
auth required pam_tally2.so onerr=fail deny=6 unlock_time=60
even_deny_root root_unlock_time=120
auth required pam_nologin.so
account required pam_stack.so service=system-auth
#新增下面这行,指明account使用 pam_tally2.so
account required pam_tally2.so
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so