pam_tally & pam_tally2

There a few minor differences between pam_tally & pam_tally2, just enough to trip you over and end up in another head scratching moment!

pam_tally,  seems to have fallen out of favour for RHL6 & >= CentOS 6, they  seemed to have switched to using pam_tally2, this maybe the case for other distros as well.

With pam_tally you can specify the option ‘reset’ within the system-auth file (see below) with pam_tally2 this option has been dropped, during testing, this initially caused some confusion, as the failed login attempt counter just kept on increasing, so after waiting for the required 60 seconds, I attempt to login again…and I’m still locked out,  you will see an error such as this in /var/log/secure

sshd[2661]: pam_tally2(sshd:account): unknown option:reset

So, after reading that it became obvious that the ‘reset‘ option had been dropped, , also no_magic_root and no_reset options are not available in pam_tally2.so.

Also note, for pam_tally, you have to modify the /etc/pam.d/sshd_conf file change the following to look like this:

PermitRootLogins no (I always block root access via SSH)
PermitEmptyPasswords no
PasswordAuthentication no 
ChallengeResponseAuthentication yes
UsePAM yes

Useful commands

To show failed logins for all users faillog -a
To show failed logins for a user faillog -u mrfoo, and for PAM, pam_tally2 -u mrfoo
Reset failed login counter for user faillog -r -u mrfoo and for PAM, pam_tally2 -r -u mrfoo

pam_tally

I know this works for CentOS 5.5 (Final).

I recommend creating a ‘test’ user to try it out.

This will lock users out for 60 seconds after 3 unsuccessful attempts, then reset the tally to 0, you can change this to suit – see ‘man pam_tally’

To show failed logins at /var/log do ‘faillog -a’

Add the line ‘auth required pam_tally.so onerr=fail deny=3 unlock_time=60 ‘ after the line ‘auth required pam_env.so’ – the order is crucial, it doesn’t work correctly if you place it out of order.

Add the line ‘auth required pam_env.so’

#%PAM-1.0
  # This file is auto-generated.
  # User changes will be destroyed the next time authconfig is run.
  auth required pam_env.so
  auth required pam_tally.so onerr=fail deny=3 unlock_time=60 <===== add this line here
  auth sufficient pam_unix.so nullok try_first_pass
  auth requisite pam_succeed_if.so uid >= 500 quiet
  auth required pam_deny.so
  account required pam_unix.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account required pam_permit.so
  account required pam_tally.so reset <===== add this line here
  password requisite pam_cracklib.so try_first_pass retry=3
  password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
  password required pam_deny.so
  session optional pam_keyinit.so revoke
  session required pam_limits.so
  session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
  session required pam_unix.so

pam_tally2

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_tally2.so onerr=fail deny=3 unlock_time=60  <===== add this line here
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
account     required      pam_tally2.so  <===== add this line here, note, the 'reset' option has been dropped

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Adding it all up

Okay , lets check that mrfoo has no unsuccesful logins

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0

mrfoo screws up is password 3 times and gets locked out, easily check by:

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

We have a chat with mrfoo, give him a good bollocking, and tell him never to do it again…and then reset his password

[root@foo log]# pam_tally2 -r -u mrfoo

Login           Failures Latest failure     From
mrfoo            3    03/26/13 10:22:28  192.168.1.50

Check it has reset

[root@foo log]# pam_tally2 -u mrfoo
Login           Failures Latest failure     From
mrfoo            0
Advertisements

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris and tagged , , , , . Bookmark the permalink.

4 Responses to pam_tally & pam_tally2

  1. Thanks! Other sites have wrong (old?) info, but following this I got pam_tally2 working just fine.

  2. Amit says:

    Thanks got some useful info,

  3. Frizzy says:

    Thanks – I was banging my head on how to clear the tally after login with pam_tally2!

  4. AB says:

    Hey, I really like ‘IT Vomit!’
    Thanks – I was finding out what’s the purpose of ‘account required pam_tally2.so’ which wasn’t explained in other sites. Now I know it’s for clearing the counter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s