Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).
Tomas Mraz
tmraz at redhat.com
Mon Jul 14 20:34:08 UTC 2008
On Mon, 2008-07-14 at 15:27 -0400, Vasudeva R wrote:
> Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1
> (Tikanga).
>
> PAM version is: pam-0.99.6.2-3.26.el5
>
> case 1:
>
> following lines works for RHEL-3 & RHEL-4 version with pam-0.77-66.23
> version without any problems but not working for RHEL-5
>
> auth required /lib/security/$ISA/pam_tally.so onerr=fail
> no_magic_root
> account required /lib/security/$ISA/pam_tally.so per_user
> deny=3 no_magic_root reset
The pam_tally in RHEL-5 works differently - denies in the auth phase. So
this configuration is not correct.
> Case 2:
>
> After modifying system-auth file with respect to the above error
> messages
>
> auth required pam_tally.so onerr=fail per_user deny=3
> account required pam_tally.so
>
> - faillog counter not updating counter for wrong password attempts
> - nerver locks the user account for wrong passwords
This should be a correct configuration so perhaps you made a mistake in
the system-auth file elsewhere? It seems like the auth line is never
called. It must be before auth pam_unix line in the system-auth file.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list