[augeas-devel] adding pam_tally to system-auth

[David Robinson]

Hi all,

I'm trying to use augeas to setup pam_tally, but have run into a few problems.

I'm doing this (there's 14 entries in the file, 15 adds a new one:

set /files/etc/pam.d/system-auth/15/type auth
set /files/etc/pam.d/system-auth/15/control required
set /files/etc/pam.d/system-auth/15/module pam_tally.so
set /files/etc/pam.d/system-auth/15/argument[1] onerr=fail
set /files/etc/pam.d/system-auth/15/argument[2] deny=6
set /files/etc/pam.d/system-auth/15/argument[3] unlock_time=300
save

Which gives:

--- system-auth.augsave	2009-05-20 13:49:53.000000000 +0000
+++ system-auth	2009-06-05 11:15:45.000000000 +0000
@@ -18,3 +18,4 @@
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
 session     required      pam_unix.so
+auth	required	pam_tally.so	onerr=fail	deny=6	unlock_time=300

But I want the line to appear with all the other auth stuff, eg:

--- system-auth.augsave	2009-05-20 13:49:53.000000000 +0000
+++ system-auth.correct	2009-06-05 11:32:55.000000000 +0000
@@ -5,6 +5,7 @@
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        required      pam_deny.so
+auth        required      pam_tally.so onerr=fail deny=6 unlock_time=300

 account     required      pam_unix.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet

How can I insert a line into the middle of a file, and how can I find
where in the file it should be inserted?

The system-auth file is just the standard one from RHEL5:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

--Dave