RE: pam_tally: unknown option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hmmmmmmm.....

 

I see what you are saying about it being an 'auth' option, not for account.

I'm going to work on this some more, on my own and see what I can come up with.

Would like to further collaborate with you regarding this, share lessons learned, etc....


R,
-Joe Wulf, CISSP, USN(RET)
 Senior IA Engineer
 ProSync Technology Group, LLC
 
www.prosync.com


From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Monu Agrawal
Sent: Monday, June 16, 2008 15:14
To: pam-list@xxxxxxxxxx
Subject: RE: pam_tally: unknown option

 


Thanks Joe, but as per documents, deny and unlock_time are auth options, not thee account options. When I changed the config as you mentioned:

account     required      pam_tally.so deny=2


the error "unknown option deny" stopped coming but it didn't make any difference in the time it waits after wrong passwd, even if I make it 20. The version, I can't change because of some dependency reasons.


---------- Forwarded message ----------
From: "Joe_Wulf" <Joe_Wulf@xxxxxxxxx>
To: "'Pluggable Authentication Modules'" <pam-list@xxxxxxxxxx>
Date: Mon, 16 Jun 2008 08:37:29 -0400
Subject: RE: pam_tally: unknown option

I've played with PAM some, and am learning more all the time.  One resource I turn to pretty frequently is the PAM documentation found at kernel.org/pub/linux/libs/pam.  >From what I've learned along the way, I think your "auth" line isn't the right place for the "deny" option, and that would be why you get the errors you do.

 

What works for me is to have the deny option be on the "account" line, as follows:

account     required      /lib/security/$ISA/pam_tally.so deny=2

Secondly, I'd recommend upgrading to a newer version of PAM, ..77 is quite outdated.  You'll probably have much greater success with a newer release.

Good luck!


R,
-Joe Wulf, CISSP, USN(RET)
 Senior IA Engineer
 ProSync Technology Group, LLC
 
www.prosync.com


From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Monu Agrawal
Sent: Monday, June 16, 2008 07:39
To: pam-list@xxxxxxxxxx
Subject: pam_tally: unknown option

 

Hi,
I am using pam-0.77-65.1. The problem I am getting with it is, I am not able to set deny and unlock_time options.
My file looks like following:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       required     pam_tally.so deny=3 unlock_time=600
account    required     pam_tally.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

I am getting the following error messages on /var/log/messages

Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; deny=3
Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; unlock_time=600

Are these options available on the this particular version? Can anybody tell me what is wrong with the above config?

--
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Monu Agrawal


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




--
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Monu Agrawal

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux