Bug 75374

From Bugzilla Helper:
User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686)

Description of problem:
There is a disconect with the documentation for pam_tally and faillog.  The doc
for pam_tally indicates that a user account may be locked out for the faillog
parameter, fail_lock_time.  But faillog man pages do not mention this
parameter.  'faillog -h' prints a brief description of usage indicating that the
-l swich is used to set lock times.   I can see the counter count down, but when
it reaches zero the account is not re-enabled as expected.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.  add these lines to /etc/pam.d/login
 auth    required  /lib/security/pam_tally.so  no_magic_root
 account required  /lib/security/pam_tally.so  deny=5 no_magic_root

2. establish faillog file

   touch     /usr/log/faillog
   chmod 644 /var/log/faillog
3.  set lock time to 10 seconds for username 

    faillog -u username -l 10

4.  try to login with the username and wrong password for 5 times. 
    wait for 11 seconds, then try again but with correct password.
    

	

Actual Results:  Account should be enabled.

Expected Results:  The fail counter should be reset, but account is still
disabled.
There seems to be a hole in the docs with reguard to fail_locktime.

Additional info:

The faillog utility has a switch, -m, which sets the maximum of tries before the
account is locked.  This is also set with they deny switch in pam_tally.  I
found that the -m switch in faillog was ineffective.
Should the faillog -m switch override pam_tally?  The docs are unclear.