Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).

Vasudeva R rachamad at gmail.com
Mon Jul 14 19:27:32 UTC 2008 

*Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).*

*PAM version is: pam-0.99.6.2-3.26.el5*

*case 1: *

following lines works for RHEL-3 & RHEL-4 version with pam-0.77-66.23
version without any problems but not working for RHEL-5

auth        required      /lib/security/$ISA/pam_tally.so onerr=fail
no_magic_root
account     required      /lib/security/$ISA/pam_tally.so per_user deny=3
no_magic_root reset

- faillog counter just updates number of failed password attempts
- never locks the user account,
- never clears the faillog counter after successful login attempt

error messages found on /var/log/secure on RHEL-5

pam_tally(sshd:account): option per_user allowed in auth phase only
pam_tally(sshd:account): option deny=3 allowed in auth phase only
pam_tally(sshd:account): unknown option: no_magic_root
pam_tally(sshd:account): unknown option: reset

sshd[13368]: PAM service(sshd) ignoring max retries; 6 > 3

faillog -a user4

user4           6        0   07/14/08 15:09:30 -0400

*Case 2: *

After modifying system-auth file with respect to the above error messages

auth        required      pam_tally.so onerr=fail per_user deny=3
account     required      pam_tally.so

- faillog counter not updating counter for wrong password attempts
- nerver locks the user account for wrong passwords

*Case 3:*

auth        required      pam_tally.so onerr=fail per_user deny=3
no_magic_root
account     required      pam_tally.so no_magic_root

error messages found on /var/log/secure on RHEL-5

pam_tally(sshd:auth): unknown option: no_magic_root

- faillog counter updates for wrong password attempts
- nerver locks the user account for wrong passwords
- never clears the faillog counter after successful login attempt

*I do not want to update PAM version on RHEL-5*

*Appreciate if i get reply with bug fix solution.*

-- 
Regards,
Vasudeva R
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080714/b410bb04/attachment.htm>

More information about the Pam-list mailing list