Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).

Vasudeva R rachamad at gmail.com
Mon Jul 14 21:27:27 UTC 2008 

Thank you Tomas,

It works perfect.

My configuration file now looks like this:

auth        required      pam_env.so
auth        required      pam_tally.so onerr=fail per_user deny=3
unlock_time=60
auth        sufficient    pam_unix.so try_first_pass
auth        required      pam_deny.so

account     required      pam_tally.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so minlen=7 ucredit=0 lcredit=-1
dcredit=-1 ocredit=0 retry=3
password    sufficient    pam_unix.so  use_authtok md5 shadow remember=4
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so

Thank you again.

Appreciate your timely reply with proper solution.

Regards,
Vasu

On Mon, Jul 14, 2008 at 3:27 PM, Vasudeva R <rachamad at gmail.com> wrote:

> *Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1
> (Tikanga).*
>
> *PAM version is: pam-0.99.6.2-3.26.el5*
>
> *case 1: *
>
> following lines works for RHEL-3 & RHEL-4 version with pam-0.77-66.23
> version without any problems but not working for RHEL-5
>
> auth        required      /lib/security/$ISA/pam_tally.so onerr=fail
> no_magic_root
> account     required      /lib/security/$ISA/pam_tally.so per_user deny=3
> no_magic_root reset
>
> - faillog counter just updates number of failed password attempts
> - never locks the user account,
> - never clears the faillog counter after successful login attempt
>
> error messages found on /var/log/secure on RHEL-5
>
> pam_tally(sshd:account): option per_user allowed in auth phase only
> pam_tally(sshd:account): option deny=3 allowed in auth phase only
> pam_tally(sshd:account): unknown option: no_magic_root
> pam_tally(sshd:account): unknown option: reset
>
> sshd[13368]: PAM service(sshd) ignoring max retries; 6 > 3
>
> faillog -a user4
>
> user4           6        0   07/14/08 15:09:30 -0400
>
> *Case 2: *
>
> After modifying system-auth file with respect to the above error messages
>
> auth        required      pam_tally.so onerr=fail per_user deny=3
> account     required      pam_tally.so
>
> - faillog counter not updating counter for wrong password attempts
> - nerver locks the user account for wrong passwords
>
> *Case 3:*
>
> auth        required      pam_tally.so onerr=fail per_user deny=3
> no_magic_root
> account     required      pam_tally.so no_magic_root
>
> error messages found on /var/log/secure on RHEL-5
>
> pam_tally(sshd:auth): unknown option: no_magic_root
>
> - faillog counter updates for wrong password attempts
> - nerver locks the user account for wrong passwords
> - never clears the faillog counter after successful login attempt
>
> *I do not want to update PAM version on RHEL-5*
>
> *Appreciate if i get reply with bug fix solution.*
>
> --
> Regards,
> Vasudeva R
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080714/788b345d/attachment.htm>

More information about the Pam-list mailing list