Thanks Joe, but as per documents, deny and unlock_time are auth options, not thee account options. When I changed the config as you mentioned: account required pam_tally.so deny=2 the error "unknown option deny" stopped coming but it didn't make any difference in the time it waits after wrong passwd, even if I make it 20. The version, I can't change because of some dependency reasons. <div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> ---------- Forwarded message ---------- From: "Joe_Wulf" <<a href="mailto:Joe_Wulf@yahoo.com">Joe_Wulf@yahoo.com</a>> To: "'Pluggable Authentication Modules'" <<a href="mailto:pam-list@redhat.com">pam-list@redhat.com</a>> Date: Mon, 16 Jun 2008 08:37:29 -0400 Subject: RE: pam_tally: unknown option <div link="blue" vlink="purple" lang="EN-US"> <div> I've played with PAM some, and am learning more all the time. One resource I turn to pretty frequently is the PAM documentation found at <a href="http://kernel.org/pub/linux/libs/pam" target="_blank">kernel.org/pub/linux/libs/pam</a>. From what I've learned along the way, I think your "auth" line isn't the right place for the "deny" option, and that would be why you get the errors you do. What works for me is to have the deny option be on the "account" line, as follows: account required /lib/security/$ISA/pam_tally.so deny=2 <div> Secondly, I'd recommend upgrading to a newer version of PAM, ..77 is quite outdated. You'll probably have much greater success with a newer release. Good luck! R, -Joe Wulf, CISSP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC <a href="http://www.prosync.com" target="_blank">www.prosync.com</a> </div> <div> <div style="margin-left: 0.5in; text-align: center;" align="center"> <hr size="2" width="100%" align="center"> </div> From: <a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a> [mailto:<a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a>] On Behalf Of Monu Agrawal Sent: Monday, June 16, 2008 07:39 To: <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a> Subject: pam_tally: unknown option </div> Hi, I am using pam-0.77-65.1. The problem I am getting with it is, I am not able to set deny and unlock_time options. My file looks like following: #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so auth required pam_tally.so deny=3 onerr=fail unlock_time=600 account required pam_tally.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth I am getting the following error messages on /var/log/messages Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; deny=3 Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; unlock_time=600 Are these options available on the this particular version? Can anybody tell me what is wrong with the above config? -- The things we know best are the things we haven't been taught. 'Make Your Own Way' Monu Agrawal </div> </div> _______________________________________________ Pam-list mailing list <a href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a> </blockquote></div> -- The things we know best are the things we haven't been taught. 'Make Your Own Way' Monu Agrawal