Re: Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Here is my complete configuration lines of system-auth file.

Earlier I had mentioned only tally lines alone.

Please let me know where could be the problem.

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so minlen=7 ucredit=0 lcredit=-1 dcredit=-1 ocredit=0 retry=3
password    sufficient    pam_unix.so  use_authtok md5 shadow remember=4
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

auth        required      pam_tally2.so per_user deny=3
account     required      pam_tally2.so reset

Regards,
Vasudeva


On Mon, Jul 14, 2008 at 3:27 PM, Vasudeva R <rachamad@xxxxxxxxx> wrote:
Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).

PAM version is: pam-0.99.6.2-3.26.el5

case 1:

following lines works for RHEL-3 & RHEL-4 version with pam-0.77-66.23 version without any problems but not working for RHEL-5

auth        required      /lib/security/$ISA/pam_tally.so no_magic_root
account     required      /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

- faillog counter just updates number of failed password attempts
- never locks the user account,
- never clears the faillog counter after successful login attempt

error messages found on /var/log/secure on RHEL-5

pam_tally(sshd:account): option per_user allowed in auth phase only
pam_tally(sshd:account): option deny=3 allowed in auth phase only
pam_tally(sshd:account): unknown option: no_magic_root
pam_tally(sshd:account): unknown option: reset

sshd[13368]: PAM service(sshd) ignoring max retries; 6 > 3

faillog -a user4

user4           6        0   07/14/08 15:09:30 -0400

Case 2:

After modifying system-auth file with respect to the above error messages

auth        required      pam_tally.so per_user deny=3
account     required      pam_tally.so

- faillog counter not updating counter for wrong password attempts
- nerver locks the user account for wrong passwords

Case 3:

auth        required      pam_tally.so per_user deny=3 no_magic_root
account     required      pam_tally.so no_magic_root

error messages found on /var/log/secure on RHEL-5

pam_tally(sshd:auth): unknown option: no_magic_root

- faillog counter updates for wrong password attempts
- nerver locks the user account for wrong passwords
- never clears the faillog counter after successful login attempt

I do not want to update PAM version on RHEL-5

Appreciate if i get reply with bug fix solution.

--
Regards,
Vasudeva R





_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux