On Wed, 2005-07-13 at 11:30 -0500, CBA Computer Support wrote: > Tomas Mraz wrote: > >>#%PAM-1.0 > >>auth required pam_unix.so nullok > >>auth required pam_tally.so deny=5 lock_time=15 unlock_time=900 > >>account required pam_unix.so > >>account required pam_tally.so magic_root > >>session required pam_unix.so > >> > >> > >> Am I missing something? Usermin (http://www.webmin.com) runs as > >>root. I'd like to have pam_tally lock accounts with 5 failed login > >>attempts for 15 minutes and then unlock them. If anyone has something > >>like this working I'd sure appreciate the posting of the pam > >>configuration file and any relevant version numbers. > >> > > > >The magic_root option is almost never needed (it's useful only for su > >and simmilar things) and if it is supplied to the account phase it has > >to be in the auth phase too. > > > >However the webmin code might be wrong in not calling pam_setcred nor > >pam_acct_mgmt functions if it is the case then pam_tally cannot be used > >with webmin. At least the pam_acct_mgmt must be called so this should be > >reported to webmin developers as a bug. > > > > I'd like to test a bit more before I report a bug. I'll test with a > different service such as ssh. A posting of a working pam.d/service > configuration file would really help so I'll know if there's a bug or > just something I've got wrong. Could you post a working config? Your config should be right except the magic_root option. However there is also a bug in pam_tally v0.2 which might be fixed in the SUSE 9.3 (I don't know) package which makes it crash if the application calls both pam_acct_mgmt and pam_setcred functions (most apps including sshd do). -- Tomas Mraz <tmraz@xxxxxxxxxx> _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
