[tac_plus] Re: Tac_plus & PAM

john heasley heas at shrubbery.net
Mon Dec 4 16:50:24 UTC 2006 

Mon, Dec 04, 2006 at 05:48:29PM +0800, Lim Seng:
> Hi,
> 
> I am having issues with configuring account lockouts on 3 attempts using
> faillog and pam_tally, but I am not sure whether there is a parameter (
> a.k.a I didnt RTFM) which has to be added in the configuration for it to
> work. I have read through man on AV Pairs, which I thought could solve the
> problem, but it didn't seem to help:
> 
> My tac_plus file in /etc/pam.d/:
> 
> #%PAM-1.0
> auth           required     pam_tally.so per_user onerr=fail deny=3
> auth           required     pam_env.so
> auth           required     pam_unix.so likeauth nullok
> account      required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session      required     pam_limits.so
> 
> And my tac_plus.cfg
> 
> group = admin {
>        login = PAM
> }
> 
> user = netadm {
> default service = permit
> member = admin
> }
> 
> The problem that I have encountered, be it a successful or a failed login
> attempt, pam_tally counts it as a failure, but the lockout feature works
> fine when it reads that faillog has more than 3 "failed" attempts for user
> netadm albeit those 3 attempts were successful logins.
> 
> My /var/log/secure:
> 
> Dec  4 15:29:13 maskedhost tac_plus[6974]: pam_tally(tac_plus:auth): user
> netadm (500) tally 4, deny 3
> Dec  4 15:29:15 maskedhost tac_plus[6974]: pam_unix(tac_plus:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=netadm
> 
> I have figured that I have probably configured pam_tally to necessarily do
> failed login counting and lockout feature, greatly appreciate your help thus
> far but I am sorry I have to approach for your assistance once again.

I do not know about pam_tally.  this site looks like it might be useful,
as it appears that you're configuration might be a little slim:
	http://sial.org/howto/linux/pam_tally/

note that this could be a form of DOS attack; i intentionally try to login
3 times with the wrong password and your account is locked-out.

More information about the tac_plus mailing list