pam_tally & SSH not working properly at all -- FC5T3 w/ pam 0.99
Tomas Mraz
tmraz at redhat.com
Mon Mar 6 09:19:22 UTC 2006
On Sun, 2006-03-05 at 01:29 -0500, Stewart Adam wrote:
> Hello,
> I'm completely confused, maybe it's a bug.
> http://www.fedoraforum.org/forum/showthread.php?t=97416
> I've started a thread there on FedoraForum with more info, but basically
> this is my situation:
> - /etc/pam.d/sshd file:
> -- start --
> #%PAM-1.0
> auth include system-auth
> auth required pam_tally.so onerr=fail deny=3
Move pam_tally.so before the include.
> account required pam_nologin.so
> account include system-auth
> account required pam_tally.so
The same thing here.
> password include system-auth
> session include system-auth
> session required pam_loginuid.so
> -- end --
> - I do have pam enabled in my sshd_config file.
> - I only want pam_tally for my ssh server, so that's why it's only in sshd
> and non system authentication.
>
> Here's the problem:
> --> I reset my counter just incase
> --> I do 5 bad SSH logins, even though my counter is 3 just to make sure
> --> I run "pam_tally --user admin" and it shows my 5 bad attempts
> --> My system logs show pam_tally is recording my bad attempts
> --> If I type the right password it still lets my login
> In FC5T3 there's an additional "pam_tally2" module. Should I be using this
> one? I tried using that one with the same options and it still has no effect
> but the same results.
The pam_tally2 uses different data file because the pam_tally's one
isn't compatible between 32 and 64bit architectures. It also has a
slightly different features - read the documentation
(/usr/share/doc/pam.../txts/README.pam_tally2).
--
Tomas Mraz <tmraz at redhat.com>
More information about the Pam-list
mailing list