pam_tally: unknown option

Monu Agrawal monuindia at gmail.com
Mon Jun 16 19:13:57 UTC 2008


Thanks Joe, but as per documents, deny and unlock_time are auth options, not
thee account options. When I changed the config as you mentioned:

account     required      pam_tally.so deny=2

the error "unknown option deny" stopped coming but it didn't make any
difference in the time it waits after wrong passwd, even if I make it 20.
The version, I can't change because of some dependency reasons.


> ---------- Forwarded message ----------
> From: "Joe_Wulf" <Joe_Wulf at yahoo.com>
> To: "'Pluggable Authentication Modules'" <pam-list at redhat.com>
> Date: Mon, 16 Jun 2008 08:37:29 -0400
> Subject: RE: pam_tally: unknown option
>
> I've played with PAM some, and am learning more all the time.  One resource
> I turn to pretty frequently is the PAM documentation found at
> kernel.org/pub/linux/libs/pam.  From what I've learned along the way, I
> think your "auth" line isn't the right place for the "deny" option, and that
> would be why you get the errors you do.
>
>
>
> What works for me is to have the deny option be on the "account" line, as
> follows:
>
> account     required      /lib/security/$ISA/pam_tally.so deny=2
>
> Secondly, I'd recommend upgrading to a newer version of PAM, ..77 is quite
> outdated.  You'll probably have much greater success with a newer release.
>
> Good luck!
>
>
> R,
> -*Joe Wulf*, CISSP, USN(RET)
>  Senior IA Engineer
>  ProSync Technology Group, LLC
>  *www.prosync.com*
>
>   ------------------------------
>
> *From:* pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com] *On
> Behalf Of *Monu Agrawal
> *Sent:* Monday, June 16, 2008 07:39
> *To:* pam-list at redhat.com
> *Subject:* pam_tally: unknown option
>
>
>
> Hi,
> I am using pam-0.77-65.1. The problem I am getting with it is, I am not
> able to set deny and unlock_time options.
> My file looks like following:
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> auth       required     pam_tally.so deny=3 onerr=fail unlock_time=600
> account    required     pam_tally.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
>
> I am getting the following error messages on /var/log/messages
>
> Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; deny=3
> Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option;
> unlock_time=600
>
> Are these options available on the this particular version? Can anybody
> tell me what is wrong with the above config?
>
> --
> The things we know best are
> the things we haven't been taught.
> 'Make Your Own Way'
> Monu Agrawal
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>



-- 
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Monu Agrawal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080617/c9df1e94/attachment.htm>


More information about the Pam-list mailing list