difficulties with pam_tally

[Tomas Mraz]

On Wed, 2005-07-13 at 11:30 -0500, CBA Computer Support wrote:
> Tomas Mraz wrote:
> >>#%PAM-1.0
> >>auth    required        pam_unix.so     nullok
> >>auth    required        pam_tally.so deny=5 lock_time=15 unlock_time=900
> >>account required        pam_unix.so
> >>account required        pam_tally.so magic_root
> >>session required        pam_unix.so
> >>
> >>
> >>    Am I missing something?  Usermin (http://www.webmin.com) runs as 
> >>root.  I'd like to have pam_tally lock accounts with 5 failed login 
> >>attempts for 15 minutes and then unlock them.  If anyone has something 
> >>like this working I'd sure appreciate the posting of the pam 
> >>configuration file and any relevant version numbers.
> >>    
> >
> >The magic_root option is almost never needed (it's useful only for su
> >and simmilar things) and if it is supplied to the account phase it has
> >to be in the auth phase too.
> >
> >However the webmin code might be wrong in not calling pam_setcred nor
> >pam_acct_mgmt functions if it is the case then pam_tally cannot be used
> >with webmin. At least the pam_acct_mgmt must be called so this should be
> >reported to webmin developers as a bug.
> >  
> 
>     I'd like to test a bit more before I report a bug.  I'll test with a 
> different service such as ssh.  A posting of a working pam.d/service 
> configuration file would really help so I'll know if there's a bug or 
> just something I've got wrong.  Could you post a working config?
Your config should be right except the magic_root option.
However there is also a bug in pam_tally v0.2 which might be fixed in
the SUSE 9.3 (I don't know) package which makes it crash if the
application calls both pam_acct_mgmt and pam_setcred functions (most
apps including sshd do).

-- 
Tomas Mraz <tmraz at redhat.com>