pam tally and faillog questions
Nalin Dahyabhai
nalin at redhat.com
Fri Apr 16 19:49:11 UTC 2004
On Fri, Apr 16, 2004 at 03:01:23PM -0400, Chris Stankaitis wrote:
> I posted this to the RH PAM list in January, since then I have not seen
> a SINGLE message to that list so I must assume it's dead. I am going to
> re-ask here in the hopes that we have some pam guru's around.
You should verify that you're actually subscribed, then. While it's not
nearly as high-traffic as fedora-list, it is active. The archives show
12 messages this month, the most recent about an hour ago.
> Is there a better work around then what I have done? is there a proper
> way to get these two to play well together
The screen saver should probably be calling pam_acct_mgmt(), even if it
"knows" that the user should always be allowed access.
> 2) is there a way to get pam_tally/faillog to unlock an account after XX
> mins... I have hacked together a bash script to do this but I would
> prefer to use native capabilities if they exist
The faillog file format supports it, and pam_tally obeys it, but the
tools don't provide a way to set that timeout. That would make a good
enhancement request.
> 3) This is my big problem... I have set tally to deny after X attempts..
> and it works... kinda... it seems like faillog or something is ignoring
> the deny= line in my pam account section.. when I first do a faillog
> after turning on the tally I get the normal output however it doesn't
> seem to catch the deny and populate that to the Maximum... so if my deny
> is set to 4 when I first do a faillog the Maximum is set to 0, I
> manually do a faillog -m 4 and that fixes the problem for all the
> current users on the box however when users are added to the box their
> maximum is zero.
>
> Why isn't faillog reading the deny=X from my account requires line and
> setting the maximum based on that?
Having a configuration for account management unfortunately doesn't
ensure that an application will make use of it.
> for new users is there a login.defs value required to set the maximum on
> account creation??
There is not, at least not currently.
Cheers,
Nalin
More information about the fedora-list
mailing list