Description of problem: When i use this: auth required pam_tally2.so deny=5 onerr=fail, then pam_tally2 counts a failed login attempt each time i (successfully) run sudo. When i use: auth required pam_tally2.so deny=5 onerr=fail magic_root, then pam_tally2 does not count anything any more (not even failed login attempts by unprivileged users) Version-Release number of selected component (if applicable): pam-1.0.91-1.fc11.x86_64 How reproducible: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so # auth sufficient pam_unix.so nullok try_first_pass auth required pam_unix.so nullok try_first_pass # auth requisite pam_succeed_if.so uid >= 500 quiet # auth required pam_deny.so # auth required /lib64/security/pam_tally.so onerr=fail deny=5 unlock_time=180 even_deny_root_account auth required pam_tally2.so deny=5 onerr=fail magic_root account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so # account required /lib64/security/pam_tally.so account required pam_tally2.so # password requisite pam_cracklib.so try_first_pass retry=3 password requisite pam_passwdqc.so min=disabled,disabled,16,12,8 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so then run: sudo sh and watch you tally go up in: pam_tally --username ($name) Expected results: Additional info:
Does it help if you move the 'account required pam_tally2.so' line right after the pam_unix account line?
Whoops yes that seems to make all the difference. Sorry for any inconvenience caused.
So, what is the "real" purpose of magic_root? If I use "magic_root", failed logins doest count!! Thanks in advance!
It's possible that sudo calls pam with the real uid == 0. In that case it is not possible to use the magic_root option. su should call id with the real uid of the calling user and there it makes sense because su <user> from root account could reset the tally without this option it is also possible to skip over the pam_tally2 with pam_succeed_if though. But generally using this option is not needed.
Great explanation! Thanks in advance! :-)