pam_tally and fail_locktime
Benjamin Donnachie
benjamin at pythagoras.no-ip.org
Sun Oct 2 19:11:40 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Philip Yarra wrote:
> Interesting, I see the same inconsistency on Mandr{ake|iva} 10.2
I'm not too impressed with the pam_tally modules supplied with Fedora
Core 3 - it returns a different error message if you get the password
right but it's exceeded the tally...
Completely negating the security I wanted to implement with it!
I prefer the version described at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.24
as it performs account denying at the authentication stage - which
should hopefully not distinguish whether a correct password has been
passed if the tally count has been exceeded...
I shall see whether I can get it running with the version of PAM
supplied with FC3 - if not, I'll look into replacing the whole PAM system...
Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQIVAwUBQ0Aw6egNmph0Y1E2AQK5Vg/6AnHM3X2D72dbyePB5ST5ob9hqN4Phm7W
8UVgqbsh/j8hbh+MwwseKdkX76pFZwHBsJy/up1QDdbZTPYPy3h6bLs1DJQv4zNp
INQtLdINrkqNZCVLQOK3K6u5ijAwcxUyn/tpMedy/JBNl0No/TloFCC6UjLksHHb
TeAM3zZT6gRlhVyM+3mBtBNma4AewTZYgnOzUibAU9xyRfG/huEHrPaE20f0oX06
wDARERgH41O12huADar9N6HoFH/H3YbOWcIyIAtHsUSqDaUuBSANdJv0qW+iKkH5
0zH1PDulIbOyWIdEGdKSFPE3KJ29zQ2x83gdxkiFE/qiSbAqjkibbmmGMJLbhXD2
/E0JaG3r6zuRY2bnlHKHsy6az6ZanNB/S9lCXtgc6UqfFZTZ/i5j3PszcegXe4MV
/C7KDrCbLw2H5nPQbmaSr4GLHAM5m6DBz9fv9T9Q6Pri5UgQgqV23EF15JhZmhCT
0mvIJRgbud3CtD0+Ikn2HKFgCtvZiFvhUS8CLoQrFmWp1mFGPOnmg2gIVqFDzmTk
/vDa+E0xlLwTw/vtvR66rfvIlVLOrhPzBhqT9YWSL1xDAqo2tdbBtCUJeeDpHrvu
hPGmJ2uv+uEv/ioztf4S4soYTIB052NEQGOnELGuNMpeQBTIw/vyY3o0TiIrllwh
Dlr1RASGJtI=
=cpfw
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list