Authentication problems with pam_tally2 and Ansible
Marko Asplund
marko.asplund at gmail.com
Thu Dec 1 08:28:54 UTC 2016
The explanation seems to be that pam_tally2 records a failed login when
login command is started, even before a password is entered. Normally, the
failed logins counter is reset when the user enters the correct password.
For login this works correctly when the following line is added in pam
config (common-auth):
auth required pam_tally2.so file=/var/log/tallylog deny=5 even_deny_root
unlock_time=1200 serialize
However, when using sudo, the counter only gets reset when the following
line is added to pam configuration (common-account):
account required pam_tally2.so
Why is the behaviour different for login and sudo?
Is this a bug?
I think this is a bit confusing and it might be good to explain it in more
detail on the man page (and the examples section).
marko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20161201/03b81582/attachment.htm>
More information about the Pam-list
mailing list