Temporary User Lockout in Oracle Exadata and PAM rules

In this article i will talk about the PAM(pluggable authentication modules) in Oracle Exadata Linux Operational System. So what is PAM and what is it used for ? Well as stated before PAM means pluggable authentication modules and it is a flexible mechanism for authenticating users. PAM provides a way to develop programs that are independent of authentication scheme. These programs need "authentication modules" to be attached to them at run-time in order to work. Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local system administrator. So far so good but what is all of this has to do with Oracle Exadata machine ? Every Oracle Exadata Machine comes with configurated with the pam_tally2 options ON, and they will follow some rules that are set in your sshd files located in your /etc/pam.d folder. Depending on your Exadata Image version it might have a different configuration, to get you Image version use the imageinfo command logged as root user:

[root@exadata-host]# imageinfo

Kernel version: 2.6.39-400.128.17.el5uek #1 SMP Tue May 27 13:20:24 PDT 2014 x86_64
Image version: 11.2.3.3
To see the pam option you can just read the sshd configuration file files located in your /etc/pam.d folder.
[root@exadata-host]# cat sshd | grep lock
auth       required     pam_tally2.so deny=5 onerr=fail lock_time=600
We can see that rule states that if the user fails to do a correct log on he will have to wait for 600 seconds(10 minutes) before he can try log back on. PAM rules have some drawbacks as sometimes when you have more then one DBA or Admins and they use the same admin account let's say the oracle user and they try to log in with the the wrong password you will be locked out for the lock_time period stated in the rule. Let's see some commands that will allow us to alter or check the lock status of an user account:
  • Check user adrian.oprea lock status
  • [root@exadata-host]# pam_tally2 -u adrian.oprea
    Login           Failures Latest failure     From
    root                1    11/11/14 01:11:33  xxx.xxx.xxx.xxx
  • Reset failed log in count for the adrian.oprea user
  • [root@exadata-host]# pam_tally2 -u adrian.oprea -r
    Login           Failures Latest failure     From
    root                1    11/11/14 01:11:33  xxx.xxx.xxx.xxx
    I hope this article was use-full