[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: question about pam_tally.so

You wrote:
> I have added pam_tally.so to pam.conf with the following line..
> login	account	required	/lib/security/pam_tally.so deny=3 no_reset
> (I put this in login account, because it seems that pam_tally can go in
> auth as well.. should it be in auth instead??)

I use this for login (I've also added this to the README):

    # This line counts logins, successful or failed
login   auth       required /lib/security/pam_tally.so no_magic_root

    # This line fails logins if the count is too high, but permits logins
    # and decrements the counter again if the count wasn't too high.
    # This line is not useful without the auth line.
login   account    required /lib/security/pam_tally.so deny=3 no_magic_root

> This line appears after the auth required nologin.so line.
> I create /var/log/faillog mode 600.

(I've added something like this to the README too)

[10:27:49] stoat:warwick $ ll /var/log/faillog
-rw-r--r--   1 root     root            0 Jun 20 10:23 /var/log/faillog

I keep faillog world-readable so the pam_tally command can be used by
anyone - in their .login, for instance (although I suppose `account had
2 failed attempts' is really session's duty).

> I thought this would lock an account if they had three unsuccessful tries,

Only if it's been told to count logins, which is what the auth line does.

> but, the only thing that goes into faillog is a bunch of @ symbols, the

@? Should be ^@, NUL==0. The file is a sparse file. What's happening is
that the account line reads a 0, decrements it, corrects it to a minimum
of 0, then writes it back again.

> account isn't locked.. and there really isn't any documentation on how to
> unlock an account.. rather then the README that Tim included..

No, there isn't, Sorry.  If you `make' the module, it produces pam_tally.so
and pam_tally. pam_tally maintains the faillog files:

pam_tally: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]

    --file denotes which file is the faillog file
    --user nominates a user to handle. May not be numeric id, just now.
    --reset resets --user if nominated (or all users) to 0
    --reset=n resets --user (all is unavailable) to n
    --quiet quite quiet. :)

I've added this to the README too. :)

> I would be very grateful for any pointers on how to correctly use this
> module.

Hope this helps - sorry for the impoverished docs. The new README is

Mm. Just a thought.. I use a horrible makefile which I seem to remember
Andrew standardises. Does the PAM distribution still make pam_tally as
well as pam_tally.so?  Compiling with -DMAIN and -lc (and not -lpam) makes
it from the same source as the module proper.

.-----------------------------------. mailto:warwick@mmm.co.uk
! Tim Baverstock, Internet SysAdmin !   http://www.mmm.co.uk [/~warwick]
`-----------------------------------'   plan:"Level 1 RFC1149 compliance."

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []