difficulties with pam_tally
Tomas Mraz
tmraz at redhat.com
Wed Jul 13 17:15:39 UTC 2005
On Wed, 2005-07-13 at 11:30 -0500, CBA Computer Support wrote:
> Tomas Mraz wrote:
> >>#%PAM-1.0
> >>auth required pam_unix.so nullok
> >>auth required pam_tally.so deny=5 lock_time=15 unlock_time=900
> >>account required pam_unix.so
> >>account required pam_tally.so magic_root
> >>session required pam_unix.so
> >>
> >>
> >> Am I missing something? Usermin (http://www.webmin.com) runs as
> >>root. I'd like to have pam_tally lock accounts with 5 failed login
> >>attempts for 15 minutes and then unlock them. If anyone has something
> >>like this working I'd sure appreciate the posting of the pam
> >>configuration file and any relevant version numbers.
> >>
> >
> >The magic_root option is almost never needed (it's useful only for su
> >and simmilar things) and if it is supplied to the account phase it has
> >to be in the auth phase too.
> >
> >However the webmin code might be wrong in not calling pam_setcred nor
> >pam_acct_mgmt functions if it is the case then pam_tally cannot be used
> >with webmin. At least the pam_acct_mgmt must be called so this should be
> >reported to webmin developers as a bug.
> >
>
> I'd like to test a bit more before I report a bug. I'll test with a
> different service such as ssh. A posting of a working pam.d/service
> configuration file would really help so I'll know if there's a bug or
> just something I've got wrong. Could you post a working config?
Your config should be right except the magic_root option.
However there is also a bug in pam_tally v0.2 which might be fixed in
the SUSE 9.3 (I don't know) package which makes it crash if the
application calls both pam_acct_mgmt and pam_setcred functions (most
apps including sshd do).
--
Tomas Mraz <tmraz at redhat.com>
More information about the Pam-list
mailing list