Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).
Tomas Mraz
tmraz at redhat.com
Mon Jul 14 21:01:20 UTC 2008
On Mon, 2008-07-14 at 16:44 -0400, Vasudeva R wrote:
> Here is my complete configuration lines of system-auth file.
>
> Earlier I had mentioned only tally lines alone.
>
> Please let me know where could be the problem.
>
> auth required pam_env.so
> auth sufficient pam_unix.so try_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account required pam_permit.so
>
> password requisite pam_cracklib.so minlen=7 ucredit=0
> lcredit=-1 dcredit=-1 ocredit=0 retry=3
> password sufficient pam_unix.so use_authtok md5 shadow
> remember=4
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
>
> auth required pam_tally2.so onerr=fail per_user deny=3
> account required pam_tally2.so reset
pam_tally2 uses different file for keeping the tally counts
- /var/log/tallylog. The format is compatible between 32 and 64bit
architectures (with the same endianness only). It doesn't support the
per_user option.
And as I wrote in my previous e-mail you have to put both of the lines
before the respective auth/account pam_unix lines.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list