Register "telnet" login failures with pam_tally
Nalin Dahyabhai
nalin at redhat.com
Fri Nov 12 23:36:11 UTC 2004
On Fri, Nov 12, 2004 at 01:52:15PM +0000, Billy Snider wrote:
> Has anyone had problems getting login failures to register with Fedora
> Core 3? I am trying to "telnet" into the system and get a failure to
> register.
>
> Here is my "login" file:
>
> #%PAM-1.0
> auth required pam_securetty.so
> auth required pam_stack.so service=system-auth
> auth required /lib/security/pam_tally.so deny=5 onerr=fail
> no_magic_root
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
[snip]
> Failures do register in the "/var/log/messages" but not
> "/var/log/faillog".
>
> It acts as if "telnet" doesn't even use the "login" configuration file
> within "/etc/pam.d".
>
> >From a previous posting "ssh" logins register failures just fine with
> the following in the "sshd" file:
>
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> auth required pam_tally.so no_magic_root
> account required pam_tally.so deny=3 no_magic_root per_user
> account required pam_stack.so service=system-auth
[snip]
In the configuration file for "login", you're passing the "deny=" flag
to pam_tally when used as an "auth" module, while in "sshd", the "deny="
flag is being correctly passed to pam_tally being used as an "account"
module. You also don't seem to be calling pam_tally as an "account"
module in the "login" configuration file.
HTH,
Nalin
More information about the Pam-list
mailing list