[ale] PAM_Tally oddness
Scott Warfield
magius at wittsend.com
Thu Dec 9 10:30:05 EST 2004
Anyone have some real experience with this? I've already determined that
this is not a good way to handle account lockouts, but it's the only
facility available in Linux.
Here's the system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
account required /lib/security/pam_tally.so deny=3 no_magic_root
per_user
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
Now, at a glance, it's nice and pretty, and works perfect... Until a reboot.
At that point, ALL accounts, root too, are locked. So the system is
completely cutoff.
Anyone ever really use pam_tally? I've found more incorrect posts from
people quoting man pages than actual info that works.
-------------------------------------------
Scott Warfield
Developer
magius at wittsend.com
-------------------------------------------
More information about the Ale
mailing list