account required pam_tally.so deny=2
---------- Forwarded message ----------
From: "Joe_Wulf" <Joe_Wulf yahoo com>
To: "'Pluggable Authentication Modules'" <pam-list redhat com>
Date: Mon, 16 Jun 2008 08:37:29 -0400
Subject: RE: pam_tally: unknown option
I've played with PAM some, and am learning more all the time. One resource I turn to pretty frequently is the PAM documentation found at kernel.org/pub/linux/libs/pam. From what I've learned along the way, I think your "auth" line isn't the right place for the "deny" option, and that would be why you get the errors you do.
What works for me is to have the deny option be on the "account" line, as follows:
account required /lib/security/$ISA/pam_tally.so deny=2
Secondly, I'd recommend upgrading to a newer version of PAM, ..77 is quite outdated. You'll probably have much greater success with a newer release.
-Joe Wulf, CISSP, USN(RET)
Senior IA Engineer
ProSync Technology Group, LLC
I am using pam-0.77-65.1. The problem I am getting with it is, I am not able to set deny and unlock_time options.
My file looks like following:
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth required pam_tally.so deny=3 unlock_time=600
account required pam_tally.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
I am getting the following error messages on /var/log/messages
Jun 16 17:05:32 ssc-216 pam_tally: pam_tally: unknown option; deny=3
Jun 16 17:05:32 ssc-216 pam_tally: pam_tally: unknown option; unlock_time=600
Are these options available on the this particular version? Can anybody tell me what is wrong with the above config?
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Pam-list mailing list
Pam-list redhat com