<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 12 (filtered medium)"> <style>  </style>  </head> <body lang=EN-US link=blue vlink=purple> <div class=Section1> Will this work for RHEL ES 4.5 as well, or are there modifications needed?<o:p></o:p> <o:p> </o:p> Thanks!<o:p></o:p> <o:p> </o:p> Bill<o:p></o:p> <o:p> </o:p> <div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'> <div> <div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'> From: pam-list-bounces@redhat.com [mailto:pam-list-bounces@redhat.com] On Behalf Of Vasudeva R Sent: Monday, July 14, 2008 5:27 PM To: pam-list@redhat.com Subject: Re: Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1(Tikanga).<o:p></o:p> </div> </div> <o:p> </o:p> Thank you Tomas, It works perfect. My configuration file now looks like this: auth required pam_env.so auth required pam_tally.so onerr=fail per_user deny=3 unlock_time=60 auth sufficient pam_unix.so try_first_pass auth required pam_deny.so account required pam_tally.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so minlen=7 ucredit=0 lcredit=-1 dcredit=-1 ocredit=0 retry=3 password sufficient pam_unix.so use_authtok md5 shadow remember=4 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Thank you again. Appreciate your timely reply with proper solution. Regards, Vasu<o:p></o:p> <div> On Mon, Jul 14, 2008 at 3:27 PM, Vasudeva R <<a href="mailto:rachamad@gmail.com">rachamad@gmail.com</a>> wrote:<o:p></o:p> Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga). PAM version is: pam-0.99.6.2-3.26.el5 case 1: following lines works for RHEL-3 & RHEL-4 version with pam-0.77-66.23 version without any problems but not working for RHEL-5 auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset - faillog counter just updates number of failed password attempts - never locks the user account, - never clears the faillog counter after successful login attempt error messages found on /var/log/secure on RHEL-5 pam_tally(sshd:account): option per_user allowed in auth phase only pam_tally(sshd:account): option deny=3 allowed in auth phase only pam_tally(sshd:account): unknown option: no_magic_root pam_tally(sshd:account): unknown option: reset sshd[13368]: PAM service(sshd) ignoring max retries; 6 > 3 faillog -a user4 user4 6 0 07/14/08 15:09:30 -0400 Case 2: After modifying system-auth file with respect to the above error messages auth required pam_tally.so onerr=fail per_user deny=3 account required pam_tally.so - faillog counter not updating counter for wrong password attempts - nerver locks the user account for wrong passwords Case 3: auth required pam_tally.so onerr=fail per_user deny=3 no_magic_root account required pam_tally.so no_magic_root error messages found on /var/log/secure on RHEL-5 pam_tally(sshd:auth): unknown option: no_magic_root - faillog counter updates for wrong password attempts - nerver locks the user account for wrong passwords - never clears the faillog counter after successful login attempt I do not want to update PAM version on RHEL-5 Appreciate if i get reply with bug fix solution. -- Regards, Vasudeva R<o:p></o:p> </div> <o:p></o:p> </div> </div> </body> </html>