It works perfect.
My configuration file now looks like this:
auth required pam_env.so
auth required pam_tally.so per_user deny=3 unlock_time=60
auth sufficient pam_unix.so try_first_pass
auth required pam_deny.so
account required pam_tally.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so minlen=7 ucredit=0 lcredit=-1 dcredit=-1 ocredit=0 retry=3
password sufficient pam_unix.so use_authtok md5 shadow remember=4
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Thank you again.
Appreciate your timely reply with proper solution.
Regards,
Vasu
On Mon, Jul 14, 2008 at 3:27 PM, Vasudeva R <rachamad@xxxxxxxxx> wrote:
Bug in pam_tally on Red Hat Enterprise Linux Server release 5.1 (Tikanga).
PAM version is: pam-0.99.6.2-3.26.el5
case 1:
following lines works for RHEL-3 & RHEL-4 version with pam-0.77-66.23 version without any problems but not working for RHEL-5
auth required /lib/security/$ISA/pam_tally.so no_magic_root
account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset
- faillog counter just updates number of failed password attempts
- never locks the user account,
- never clears the faillog counter after successful login attempt
error messages found on /var/log/secure on RHEL-5
pam_tally(sshd:account): option per_user allowed in auth phase only
pam_tally(sshd:account): option deny=3 allowed in auth phase only
pam_tally(sshd:account): unknown option: no_magic_root
pam_tally(sshd:account): unknown option: reset
sshd[13368]: PAM service(sshd) ignoring max retries; 6 > 3
faillog -a user4
user4 6 0 07/14/08 15:09:30 -0400
Case 2:
After modifying system-auth file with respect to the above error messages
auth required pam_tally.so per_user deny=3
account required pam_tally.so
- faillog counter not updating counter for wrong password attempts
- nerver locks the user account for wrong passwords
Case 3:
auth required pam_tally.so per_user deny=3 no_magic_root
account required pam_tally.so no_magic_root
error messages found on /var/log/secure on RHEL-5
pam_tally(sshd:auth): unknown option: no_magic_root
- faillog counter updates for wrong password attempts
- nerver locks the user account for wrong passwords
- never clears the faillog counter after successful login attempt
I do not want to update PAM version on RHEL-5
Appreciate if i get reply with bug fix solution.
--
Regards,
Vasudeva R
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list