I'm having some issues using the pam_tally2 module with Ansible and I'd like to make sure my PAM configuration is correct.
I've configured pam_tally2 by adding the following line in /etc/pam.d/common-auth:
auth required pam_tally2.so file=/var/log/tallylog deny=5 even_deny_root unlock_time=1200
Is this line correct and in the right place? Is there some other configuration I should add?
This seems to be working ok with interactive sessions, but I'm experiencing strange authentication problems with Ansible. I've an Ansible playbook that basically runs the chage command for a bunch of users in a loop with sudo. Some of the commands get correctly executed but playbook execution gets aborted due to "Incorrect sudo password". Also, pam_tally2 reports multiple login failures for the user running the script. Since some of the chage commands succeed the sudo password must have been correctly typed.
Can this be caused by a flawed pam_tally2 configuration?
This is on Ubuntu 16.04.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list