difficulties with pam_tally

Tomas Mraz tmraz at redhat.com
Wed Jul 13 08:26:00 UTC 2005 

On Tue, 2005-07-12 at 10:17 -0500, Jason Joines wrote:
>     I'm trying to get pam_tally to lock out Usermin connections.  I'm 
> using pam_tally 0.1 with pam 0.77 on SuSE Linux 9.2.  With this 
> /etc/pam.d/usermin file, the tally gets updated at each failed attempt 
> and reset on a successful login but access is never blocked even when 
> the tally reaches double digits:
> 
> #%PAM-1.0
> auth    required        pam_unix.so     nullok
> auth    required        pam_tally.so no_magic_root
> account required        pam_unix.so
> account required        pam_tally.so deny=5 reset
> session required        pam_unix.so
> 
>
>     I noticed that my SuSE Linux 9.3 box came with pam_tally 0.2 and pam 
> 0.78 and that the 0.2 version of pam_tally had more options such as 
> lock_time.  I copied the pam_tally.so and pam_tally from it to the 9.2 
> box and gave it a try.  Then I had the opposite problem.  The tally gets 
> updated at each failed login attempt but does not get reset on success.  
> As a result, once the tally is exceeded two failed authentication 
> attempts results in the account being blocked until the time limit has 
> expired.  Here's the /etc/pam.d/usermin I tried with pam_tally 0.2:
> 
> #%PAM-1.0
> auth    required        pam_unix.so     nullok
> auth    required        pam_tally.so deny=5 lock_time=15 unlock_time=900
> account required        pam_unix.so
> account required        pam_tally.so magic_root
> session required        pam_unix.so
> 
> 
>     Am I missing something?  Usermin (http://www.webmin.com) runs as 
> root.  I'd like to have pam_tally lock accounts with 5 failed login 
> attempts for 15 minutes and then unlock them.  If anyone has something 
> like this working I'd sure appreciate the posting of the pam 
> configuration file and any relevant version numbers.

The magic_root option is almost never needed (it's useful only for su
and simmilar things) and if it is supplied to the account phase it has
to be in the auth phase too.

However the webmin code might be wrong in not calling pam_setcred nor
pam_acct_mgmt functions if it is the case then pam_tally cannot be used
with webmin. At least the pam_acct_mgmt must be called so this should be
reported to webmin developers as a bug.

-- 
Tomas Mraz <tmraz at redhat.com>

More information about the Pam-list mailing list