계정별 패스워드 잠금 정책 설정 (PAM)

각 계정별로 PAM 을 이용하여 패스워드가 틀릴 경우 계정 잠금 설정을 하는 법을 요청하여
긴 검색 노가다와 설정 노가다 끝에 방법을 발견했다.

특정 사용자에 대한 설정을 진행하고 해당 계정이 아닌 경우 전역 설정을 할 수 있도록 설정값을 추가해 준다.

# vi /etc/pam.d/system-auth
==================================================

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth    [success=ignore default=1] pam_succeed_if.so user in user1:user2
auth        required      pam_tally2.so deny=2 unlock_time=1200
auth    [success=ignore default=1] pam_succeed_if.so user in user3
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth    [success=ignore default=1] pam_succeed_if.so user notin user1:user2:user3
auth        required      pam_tally2.so deny=10 unlock_time=1200
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_tally2.so
account     required      pam_unix.so
<하략>
==================================================
# vi /etc/pam.d/password-auth
==================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth    [success=ignore default=1] pam_succeed_if.so user in user1:user2
auth        required      pam_tally2.so deny=2 unlock_time=1200
auth    [success=ignore default=1] pam_succeed_if.so user in user3
auth        required      pam_tally2.so deny=5 unlock_time=1200
auth    [success=ignore default=1] pam_succeed_if.so user notin user1:user2:user3
auth        required      pam_tally2.so deny=10 unlock_time=1200
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
account     required      pam_tally2.so
account     required      pam_unix.so
==================================================