Thanks Vasudeva and Joe, Here it goes. when I check the /usr/share/doc/pam-0.77/txts/README.pam_tally It shows the options I can use. On that the deny option is part of account (not auth), may be later it has been moved to auth as I can see in online docs. Secondly it doesn't have the unlock_time option. That's why it's giving unknown option unlock_time. So the question here is, is there any way to block a user for a certain amount of time, and unlock automatically? I got this clue from nahant-list <a href="http://www.redhat.com/archives/nahant-list/2006-August/msg00104.html">http://www.redhat.com/archives/nahant-list/2006-August/msg00104.html</a>. <div class="gmail_quote">2008/6/17 Joe_Wulf <<a href="mailto:Joe_Wulf@yahoo.com">Joe_Wulf@yahoo.com</a>>: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div link="blue" vlink="blue" lang="EN-US"> <div> Hmmmmmmm..... I see what you are saying about it being an 'auth' option, not for account. I'm going to work on this some more, on my own and see what I can come up with. Would like to further collaborate with you regarding this, share lessons learned, etc....<div class="Ih2E3d"> <div> R, -Joe Wulf, CISSP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC <a href="http://www.prosync.com" target="_blank">www.prosync.com</a> </div> </div><div> <div style="margin-left: 0.5in; text-align: center;" align="center"> <hr align="center" size="2" width="100%"> </div> From: <a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a> [mailto:<a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a>] On Behalf Of Monu Agrawal Sent: Monday, June 16, 2008 15:14<div class="Ih2E3d"> To: <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a> </div>Subject: RE: pam_tally: unknown option </div><div><div></div><div class="Wj3C7c"> Thanks Joe, but as per documents, deny and unlock_time are auth options, not thee account options. When I changed the config as you mentioned: account required pam_tally.so deny=2 the error "unknown option deny" stopped coming but it didn't make any difference in the time it waits after wrong passwd, even if I make it 20. The version, I can't change because of some dependency reasons. <div> <blockquote style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color rgb(204, 204, 204); border-width: medium medium medium 1pt; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;"> ---------- Forwarded message ---------- From: "Joe_Wulf" <<a href="mailto:Joe_Wulf@yahoo.com" target="_blank">Joe_Wulf@yahoo.com</a>> To: "'Pluggable Authentication Modules'" <<a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a>> Date: Mon, 16 Jun 2008 08:37:29 -0400 Subject: RE: pam_tally: unknown option <div link="blue" vlink="purple"> <div> I've played with PAM some, and am learning more all the time. One resource I turn to pretty frequently is the PAM documentation found at <a href="http://kernel.org/pub/linux/libs/pam" target="_blank">kernel.org/pub/linux/libs/pam</a>. >From what I've learned along the way, I think your "auth" line isn't the right place for the "deny" option, and that would be why you get the errors you do. What works for me is to have the deny option be on the "account" line, as follows: account required /lib/security/$ISA/pam_tally.so deny=2 <div> Secondly, I'd recommend upgrading to a newer version of PAM, ..77 is quite outdated. You'll probably have much greater success with a newer release. Good luck! R, -Joe Wulf, CISSP, USN(RET) Senior IA Engineer ProSync Technology Group, LLC <a href="http://www.prosync.com" target="_blank">www.prosync.com</a> </div> <div> <div style="margin-left: 0.5in;"> <div style="margin-left: 0.5in; text-align: center;" align="center"> <hr align="center" size="2" width="100%"> </div> </div> From: <a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a> [mailto:<a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a>] On Behalf Of Monu Agrawal Sent: Monday, June 16, 2008 07:39 To: <a href="mailto:pam-list@redhat.com" target="_blank">pam-list@redhat.com</a> Subject: pam_tally: unknown option </div> Hi, I am using pam-0.77-65.1. The problem I am getting with it is, I am not able to set deny and unlock_time options. My file looks like following: #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so auth required pam_tally.so deny=3 onerr=fail unlock_time=600 account required pam_tally.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth I am getting the following error messages on /var/log/messages Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; deny=3 Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; unlock_time=600 Are these options available on the this particular version? Can anybody tell me what is wrong with the above config? -- The things we know best are the things we haven't been taught. 'Make Your Own Way' Monu Agrawal </div> </div> _______________________________________________ Pam-list mailing list <a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a> </blockquote> </div> -- The things we know best are the things we haven't been taught. 'Make Your Own Way' Monu Agrawal </div></div></div> </div> _______________________________________________ Pam-list mailing list <a href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a> </blockquote></div> -- The things we know best are the things we haven't been taught. 'Make Your Own Way' Monu Agrawal