difficulties with pam_tally

CBA Computer Support support at bus.okstate.edu
Wed Jul 13 16:30:55 UTC 2005 

Tomas Mraz wrote:
>On Tue, 2005-07-12 at 10:17 -0500, Jason Joines wrote:
>  
>>    I'm trying to get pam_tally to lock out Usermin connections.  I'm 
>>using pam_tally 0.1 with pam 0.77 on SuSE Linux 9.2.  With this 
>>/etc/pam.d/usermin file, the tally gets updated at each failed attempt 
>>and reset on a successful login but access is never blocked even when 
>>the tally reaches double digits:
>>
>>#%PAM-1.0
>>auth    required        pam_unix.so     nullok
>>auth    required        pam_tally.so no_magic_root
>>account required        pam_unix.so
>>account required        pam_tally.so deny=5 reset
>>session required        pam_unix.so
>>
>>
>>    I noticed that my SuSE Linux 9.3 box came with pam_tally 0.2 and pam 
>>0.78 and that the 0.2 version of pam_tally had more options such as 
>>lock_time.  I copied the pam_tally.so and pam_tally from it to the 9.2 
>>box and gave it a try.  Then I had the opposite problem.  The tally gets 
>>updated at each failed login attempt but does not get reset on success.  
>>As a result, once the tally is exceeded two failed authentication 
>>attempts results in the account being blocked until the time limit has 
>>expired.  Here's the /etc/pam.d/usermin I tried with pam_tally 0.2:
>>
>>#%PAM-1.0
>>auth    required        pam_unix.so     nullok
>>auth    required        pam_tally.so deny=5 lock_time=15 unlock_time=900
>>account required        pam_unix.so
>>account required        pam_tally.so magic_root
>>session required        pam_unix.so
>>
>>
>>    Am I missing something?  Usermin (http://www.webmin.com) runs as 
>>root.  I'd like to have pam_tally lock accounts with 5 failed login 
>>attempts for 15 minutes and then unlock them.  If anyone has something 
>>like this working I'd sure appreciate the posting of the pam 
>>configuration file and any relevant version numbers.
>>    
>
>The magic_root option is almost never needed (it's useful only for su
>and simmilar things) and if it is supplied to the account phase it has
>to be in the auth phase too.
>
>However the webmin code might be wrong in not calling pam_setcred nor
>pam_acct_mgmt functions if it is the case then pam_tally cannot be used
>with webmin. At least the pam_acct_mgmt must be called so this should be
>reported to webmin developers as a bug.
>  

    I'd like to test a bit more before I report a bug.  I'll test with a 
different service such as ssh.  A posting of a working pam.d/service 
configuration file would really help so I'll know if there's a bug or 
just something I've got wrong.  Could you post a working config?

Thanks,

Jason
===========

More information about the Pam-list mailing list