Red Hat Bugzilla – Bug 328281
Pam_tally audit option is defective
Last modified: 2008-05-21 13:27:11 EDT
Description of problem:
Using the "audit" option in pam_tally eliminates the ability to lock out non-
root users after a set number of failed logins while simultaneously allowing
root to login after any number of failed logins.
Version-Release number of selected component (if applicable):
The following /etc/pam.d/login file will lock out all users, including root,
after three failed login attempts.
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_tally.so onerr=fail deny=3 audit
auth include system-auth
account required pam_nologin.so
account required pam_tally.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
Steps to Reproduce:
All users, including root, are locked out after 3+ consecutive failed login
Root should not be locked out, even after 3+ consecutive failed login attempts.
Removing the "audit" option will give the expected results.
Yes, audit option erroneously activates the even_deny_root option.
With same version of PAM pam-0.99.6.2-3.14.el5 I have different comportment.
I use following lines in my system-auth :
auth sufficient /lib64/security/pam_unix.so try_first_pass likeauth
auth required /lib64/security/pam_tally.so onerr=fail deny=3
auth required /lib64/security/pam_deny.so
account required /lib64/security/pam_tally.so
account sufficient /lib64/security/pam_unix.so
account required /lib64/security/pam_deny.so
Failled account increase counter like this :
[root@home /tmp]# faillog -a
Login Failures Maximum Latest On
toto 5 0 10/18/07 13:30:23 +0000 pts/1
[root@home /tmp]# pam_tally
User toto (500) has 5
But I can still logging in ! do su ...
Same problem as in following email :
I also tried option audit with pam_tally but it didn't lock out any account !!
Can you confirm this BUG ?
Remark : on RHEL4.2 pam_tally function correctly.
(In reply to comment #2)
> With same version of PAM pam-0.99.6.2-3.14.el5 I have different comportment.
> I use following lines in my system-auth :
> auth sufficient /lib64/security/pam_unix.so try_first_pass likeauth
> md5 shadow
> auth required /lib64/security/pam_tally.so onerr=fail deny=3
> auth required /lib64/security/pam_deny.so
> account required /lib64/security/pam_tally.so
> account sufficient /lib64/security/pam_unix.so
> account required /lib64/security/pam_deny.so
This is bad configuration.
pam_tally must be placed before pam_unix in the auth section.
Also it is completely unnecessary to put full path to module into the config file.
Effectively, it was a stupid mistake due to "sufficient" in control field.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.