Here it goes.
when I check the /usr/share/doc/pam-0.77/txts/README.pam_tally
It shows the options I can use. On that the deny option is part of account (not auth), may be later it has been moved to auth as I can see in online docs. Secondly it doesn't have the unlock_time option. That's why it's giving unknown option unlock_time.
So the question here is, is there any way to block a user for a certain amount of time, and unlock automatically?
I got this clue from nahant-list http://www.redhat.com/archives/nahant-list/2006-August/msg00104.html.
Hmmmmmmm.....
I see what you are saying about it being an 'auth' option, not for account.
I'm going to work on this some more, on my own and see what I can come up with.
Would like to further collaborate with you regarding this, share lessons learned, etc....
R,
-Joe Wulf, CISSP, USN(RET)
Senior IA Engineer
ProSync Technology Group, LLC
www.prosync.com
From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Monu Agrawal
Sent: Monday, June 16, 2008 15:14Subject: RE: pam_tally: unknown option
Thanks Joe, but as per documents, deny and unlock_time are auth options, not thee account options. When I changed the config as you mentioned:account required pam_tally.so deny=2
the error "unknown option deny" stopped coming but it didn't make any difference in the time it waits after wrong passwd, even if I make it 20. The version, I can't change because of some dependency reasons.
---------- Forwarded message ----------
From: "Joe_Wulf" <Joe_Wulf@xxxxxxxxx>
To: "'Pluggable Authentication Modules'" <pam-list@xxxxxxxxxx>
Date: Mon, 16 Jun 2008 08:37:29 -0400
Subject: RE: pam_tally: unknown optionI've played with PAM some, and am learning more all the time. One resource I turn to pretty frequently is the PAM documentation found at kernel.org/pub/linux/libs/pam. >From what I've learned along the way, I think your "auth" line isn't the right place for the "deny" option, and that would be why you get the errors you do.
What works for me is to have the deny option be on the "account" line, as follows:
account required /lib/security/$ISA/pam_tally.so deny=2
Secondly, I'd recommend upgrading to a newer version of PAM, ..77 is quite outdated. You'll probably have much greater success with a newer release.
Good luck!
R,
-Joe Wulf, CISSP, USN(RET)
Senior IA Engineer
ProSync Technology Group, LLC
www.prosync.com
From: pam-list-bounces@xxxxxxxxxx [mailto:pam-list-bounces@xxxxxxxxxx] On Behalf Of Monu Agrawal
Sent: Monday, June 16, 2008 07:39
To: pam-list@xxxxxxxxxx
Subject: pam_tally: unknown option
Hi,
I am using pam-0.77-65.1. The problem I am getting with it is, I am not able to set deny and unlock_time options.
My file looks like following:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
auth required pam_tally.so deny=3 unlock_time=600
account required pam_tally.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
I am getting the following error messages on /var/log/messages
Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; deny=3
Jun 16 17:05:32 ssc-216 pam_tally[26272]: pam_tally: unknown option; unlock_time=600
Are these options available on the this particular version? Can anybody tell me what is wrong with the above config?
--
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Monu Agrawal
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
--
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Monu Agrawal
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
--
The things we know best are
the things we haven't been taught.
'Make Your Own Way'
Monu Agrawal
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
