pam_tally and fail_locktime

[Benjamin Donnachie]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Philip Yarra wrote:
> Interesting, I see the same inconsistency on Mandr{ake|iva} 10.2

I'm not too impressed with the pam_tally modules supplied with Fedora
Core 3 - it returns a different error message if you get the password
right but it's exceeded the tally...

Completely negating the security I wanted to implement with it!

I prefer the version described at
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.24
as it performs account denying at the authentication stage - which
should hopefully not distinguish whether a correct password has been
passed if the tally count has been exceeded...

I shall see whether I can get it running with the version of PAM
supplied with FC3 - if not, I'll look into replacing the whole PAM system...

Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQIVAwUBQ0Aw6egNmph0Y1E2AQK5Vg/6AnHM3X2D72dbyePB5ST5ob9hqN4Phm7W
8UVgqbsh/j8hbh+MwwseKdkX76pFZwHBsJy/up1QDdbZTPYPy3h6bLs1DJQv4zNp
INQtLdINrkqNZCVLQOK3K6u5ijAwcxUyn/tpMedy/JBNl0No/TloFCC6UjLksHHb
TeAM3zZT6gRlhVyM+3mBtBNma4AewTZYgnOzUibAU9xyRfG/huEHrPaE20f0oX06
wDARERgH41O12huADar9N6HoFH/H3YbOWcIyIAtHsUSqDaUuBSANdJv0qW+iKkH5
0zH1PDulIbOyWIdEGdKSFPE3KJ29zQ2x83gdxkiFE/qiSbAqjkibbmmGMJLbhXD2
/E0JaG3r6zuRY2bnlHKHsy6az6ZanNB/S9lCXtgc6UqfFZTZ/i5j3PszcegXe4MV
/C7KDrCbLw2H5nPQbmaSr4GLHAM5m6DBz9fv9T9Q6Pri5UgQgqV23EF15JhZmhCT
0mvIJRgbud3CtD0+Ikn2HKFgCtvZiFvhUS8CLoQrFmWp1mFGPOnmg2gIVqFDzmTk
/vDa+E0xlLwTw/vtvR66rfvIlVLOrhPzBhqT9YWSL1xDAqo2tdbBtCUJeeDpHrvu
hPGmJ2uv+uEv/ioztf4S4soYTIB052NEQGOnELGuNMpeQBTIw/vyY3o0TiIrllwh
Dlr1RASGJtI=
=cpfw
-----END PGP SIGNATURE-----