difficulties with pam_tally
CBA Computer Support
support at bus.okstate.edu
Wed Jul 13 16:30:55 UTC 2005
Tomas Mraz wrote:
>On Tue, 2005-07-12 at 10:17 -0500, Jason Joines wrote:
>
>> I'm trying to get pam_tally to lock out Usermin connections. I'm
>>using pam_tally 0.1 with pam 0.77 on SuSE Linux 9.2. With this
>>/etc/pam.d/usermin file, the tally gets updated at each failed attempt
>>and reset on a successful login but access is never blocked even when
>>the tally reaches double digits:
>>
>>#%PAM-1.0
>>auth required pam_unix.so nullok
>>auth required pam_tally.so no_magic_root
>>account required pam_unix.so
>>account required pam_tally.so deny=5 reset
>>session required pam_unix.so
>>
>>
>> I noticed that my SuSE Linux 9.3 box came with pam_tally 0.2 and pam
>>0.78 and that the 0.2 version of pam_tally had more options such as
>>lock_time. I copied the pam_tally.so and pam_tally from it to the 9.2
>>box and gave it a try. Then I had the opposite problem. The tally gets
>>updated at each failed login attempt but does not get reset on success.
>>As a result, once the tally is exceeded two failed authentication
>>attempts results in the account being blocked until the time limit has
>>expired. Here's the /etc/pam.d/usermin I tried with pam_tally 0.2:
>>
>>#%PAM-1.0
>>auth required pam_unix.so nullok
>>auth required pam_tally.so deny=5 lock_time=15 unlock_time=900
>>account required pam_unix.so
>>account required pam_tally.so magic_root
>>session required pam_unix.so
>>
>>
>> Am I missing something? Usermin (http://www.webmin.com) runs as
>>root. I'd like to have pam_tally lock accounts with 5 failed login
>>attempts for 15 minutes and then unlock them. If anyone has something
>>like this working I'd sure appreciate the posting of the pam
>>configuration file and any relevant version numbers.
>>
>
>The magic_root option is almost never needed (it's useful only for su
>and simmilar things) and if it is supplied to the account phase it has
>to be in the auth phase too.
>
>However the webmin code might be wrong in not calling pam_setcred nor
>pam_acct_mgmt functions if it is the case then pam_tally cannot be used
>with webmin. At least the pam_acct_mgmt must be called so this should be
>reported to webmin developers as a bug.
>
I'd like to test a bit more before I report a bug. I'll test with a
different service such as ssh. A posting of a working pam.d/service
configuration file would really help so I'll know if there's a bug or
just something I've got wrong. Could you post a working config?
Thanks,
Jason
===========
More information about the Pam-list
mailing list