There a few minor differences between pam_tally & pam_tally2, just enough to trip you over and end up in another head scratching moment!
pam_tally, seems to have fallen out of favour for RHL6 & >= CentOS 6, they seemed to have switched to using pam_tally2, this maybe the case for other distros as well.
With pam_tally you can specify the option ‘reset’ within the system-auth file (see below) with pam_tally2 this option has been dropped, during testing, this initially caused some confusion, as the failed login attempt counter just kept on increasing, so after waiting for the required 60 seconds, I attempt to login again…and I’m still locked out, you will see an error such as this in /var/log/secure
sshd[2661]: pam_tally2(sshd:account): unknown option:reset
So, after reading that it became obvious that the ‘reset‘ option had been dropped, , also no_magic_root and no_reset options are not available in pam_tally2.so.
Also note, for pam_tally, you have to modify the /etc/pam.d/sshd_conf file change the following to look like this:
PermitRootLogins no (I always block root access via SSH) PermitEmptyPasswords no PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes
Useful commands
To show failed logins for all users faillog -a
To show failed logins for a user faillog -u mrfoo, and for PAM, pam_tally2 -u mrfoo
Reset failed login counter for user faillog -r -u mrfoo and for PAM, pam_tally2 -r -u mrfoo
pam_tally
I know this works for CentOS 5.5 (Final).
I recommend creating a ‘test’ user to try it out.
This will lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0, you can change this to suit – see ‘man pam_tally’
To show failed logins at /var/log do ‘faillog -a’
Add the line ‘auth required pam_tally.so onerr=fail deny=3 unlock_time=60 ‘ after the line ‘auth required pam_env.so’ – the order is crucial, it doesn’t work correctly if you place it out of order.
Add the line ‘auth required pam_env.so’
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally.so onerr=fail deny=3 unlock_time=60 <===== add this line here auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_tally.so reset <===== add this line here password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
pam_tally2
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_tally2.so onerr=fail deny=3 unlock_time=60 <===== add this line here auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_tally2.so <===== add this line here, note, the 'reset' option has been dropped password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Adding it all up
Okay , lets check that mrfoo has no unsuccesful logins
[root@foo log]# pam_tally2 -u mrfoo Login Failures Latest failure From mrfoo 0
mrfoo screws up is password 3 times and gets locked out, easily check by:
[root@foo log]# pam_tally2 -u mrfoo Login Failures Latest failure From mrfoo 3 03/26/13 10:22:28 192.168.1.50
We have a chat with mrfoo, give him a good bollocking, and tell him never to do it again…and then reset his password
[root@foo log]# pam_tally2 -r -u mrfoo Login Failures Latest failure From mrfoo 3 03/26/13 10:22:28 192.168.1.50
Check it has reset
[root@foo log]# pam_tally2 -u mrfoo Login Failures Latest failure From mrfoo 0
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
